IPsec SAs and policies. If the mask is missing then a default
mask of
.B 0xffffffff
-is assumed.
+is assumed. The special value
+.B %unique
+assigns a unique value to each newly created IPsec SA.
.TP
.BR mark_in " = <value>[/<mask>]"
sets an XFRM mark in the inbound IPsec SA and
{
return FALSE;
}
- mark->value = strtoul(value, &endptr, 0);
+ if (strcasepfx(value, "%unique"))
+ {
+ mark->value = MARK_UNIQUE;
+ endptr = (char*)value + strlen("%unique");
+ }
+ else
+ {
+ mark->value = strtoul(value, &endptr, 0);
+ }
if (*endptr)
{
if (*endptr != '/')
connections.<conn>.children.<child>.mark_in = 0/0x00000000
Netfilter mark and mask for input traffic.
- Netfilter mark and mask for input traffic. On Linux Netfilter may apply
- marks to each packet coming from a tunnel having that option set. The
- mark may then be used by Netfilter to match rules.
+ Netfilter mark and mask for input traffic. On Linux Netfilter may require
+ marks on each packet to match an SA having that option set. This allows
+ Netfilter rules to select specific tunnels for incoming traffic. The
+ special value _%unique_ sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
Netfilter mark and mask for output traffic. On Linux Netfilter may require
marks on each packet to match a policy having that option set. This allows
- Netfilter rules to select specific tunnels for outgoing traffic.
+ Netfilter rules to select specific tunnels for outgoing traffic. The
+ special value _%unique_ sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.