socket-default: Allow setting firewall mark on outbound packets
authorTobias Brunner <tobias@strongswan.org>
Tue, 13 Aug 2013 14:58:33 +0000 (16:58 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 11 Oct 2013 13:32:44 +0000 (15:32 +0200)
man/strongswan.conf.5.in
src/libcharon/plugins/socket_default/socket_default_socket.c

index 2af6e73..783f16c 100644 (file)
@@ -661,6 +661,9 @@ is appended to this prefix to make it unique.  The result has to be a valid
 interface name according to the rules defined by resolvconf.  Also, it should
 have a high priority according to the order defined in interface-order(5).
 .TP
+.BR charon.plugins.socket-default.fwmark
+Firewall mark to set on outbound packets.
+.TP
 .BR charon.plugins.socket-default.set_source " [yes]"
 Set source address on outbound packets, if possible.
 .TP
index 3aa09be..ea976df 100644 (file)
@@ -611,6 +611,24 @@ static int open_socket(private_socket_default_socket_t *this,
                        return -1;
                }
        }
+#ifdef SO_MARK
+       {       /* set optional MARK on socket (requires CAP_NET_ADMIN) */
+               char *fwmark;
+               mark_t mark;
+
+               fwmark = lib->settings->get_str(lib->settings,
+                                               "%s.plugins.socket-default.fwmark", NULL, charon->name);
+               if (fwmark && mark_from_string(fwmark, &mark))
+               {
+                       if (setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value,
+                                                  sizeof(mark.value)) < 0)
+                       {
+                               DBG1(DBG_NET, "unable to set SO_MARK on socket: %s",
+                                        strerror(errno));
+                       }
+               }
+       }
+#endif
 
        if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
                                                                                                skt, family))