vici: Make in-/outbound marks the SA should set configurable
authorTobias Brunner <tobias@strongswan.org>
Fri, 20 Apr 2018 12:12:48 +0000 (14:12 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 31 Aug 2018 10:26:40 +0000 (12:26 +0200)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/swanctl.opt

index 7a66af1..05fa8c5 100644 (file)
@@ -528,6 +528,10 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
        DBG2(DBG_CFG, "   mark_out = %u/%u",
                 cfg->mark_out.value, cfg->mark_out.mask);
+       DBG2(DBG_CFG, "   set_mark_in = %u/%u",
+                cfg->set_mark_in.value, cfg->set_mark_in.mask);
+       DBG2(DBG_CFG, "   set_mark_out = %u/%u",
+                cfg->set_mark_out.value, cfg->set_mark_out.mask);
        DBG2(DBG_CFG, "   inactivity = %llu", cfg->inactivity);
        DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
        DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
@@ -1639,6 +1643,8 @@ CALLBACK(child_kv, bool,
                { "mark_in",                    parse_mark,                     &child->cfg.mark_in                                     },
                { "mark_in_sa",                 parse_opt_mark_in,      &child->cfg.options                                     },
                { "mark_out",                   parse_mark,                     &child->cfg.mark_out                            },
+               { "set_mark_in",                parse_mark,                     &child->cfg.set_mark_in                         },
+               { "set_mark_out",               parse_mark,                     &child->cfg.set_mark_out                        },
                { "tfc_padding",                parse_tfc,                      &child->cfg.tfc                                         },
                { "priority",                   parse_uint32,           &child->cfg.priority                            },
                { "interface",                  parse_string,           &child->cfg.interface                           },
index 3f67b93..8cdd66c 100644 (file)
@@ -910,6 +910,28 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
        An additional mask may be appended to the mark, separated by _/_. The
        default mask if omitted is 0xffffffff.
 
+connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
+       Netfilter mark applied to packets after the inbound IPsec SA processed them.
+
+       Netfilter mark applied to packets after the inbound IPsec SA processed them.
+       This way it's not necessary to mark packets via Netfilter before decryption
+       or right afterwards to match policies or process them differently (e.g. via
+       policy routing).
+
+       An additional mask may be appended to the mark, separated by _/_. The
+       default mask if omitted is 0xffffffff.
+
+connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
+       Netfilter mark applied to packets after the outbound IPsec SA processed
+       them.
+
+       Netfilter mark applied to packets after the outbound IPsec SA processed
+       them. This allows processing ESP packets differently than the original
+       traffic (e.g. via policy routing).
+
+       An additional mask may be appended to the mark, separated by _/_. The
+       default mask if omitted is 0xffffffff.
+
 connections.<conn>.children.<child>.tfc_padding = 0
        Traffic Flow Confidentiality padding.