sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

vici: Make in-/outbound marks the SA should set configurable

Browse Source
This commit is contained in:
Tobias Brunner 2018-04-20 14:12:48 +02:00
parent f59450fde6
commit 60f7896923
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libcharon/plugins/vici/vici_config.c
View File

@ -528,6 +528,10 @@ static void log_child_data(child_data_t *data, char *name)
DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
DBG2(DBG_CFG, " mark_out = %u/%u",
cfg->mark_out.value, cfg->mark_out.mask);
DBG2(DBG_CFG, " set_mark_in = %u/%u",
cfg->set_mark_in.value, cfg->set_mark_in.mask);
DBG2(DBG_CFG, " set_mark_out = %u/%u",
cfg->set_mark_out.value, cfg->set_mark_out.mask);
DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
@ -1639,6 +1643,8 @@ CALLBACK(child_kv, bool,
{ "mark_in", parse_mark, &child->cfg.mark_in },
{ "mark_in_sa", parse_opt_mark_in, &child->cfg.options },
{ "mark_out", parse_mark, &child->cfg.mark_out },
{ "set_mark_in", parse_mark, &child->cfg.set_mark_in },
{ "set_mark_out", parse_mark, &child->cfg.set_mark_out },
{ "tfc_padding", parse_tfc, &child->cfg.tfc },
{ "priority", parse_uint32, &child->cfg.priority },
{ "interface", parse_string, &child->cfg.interface },

22
src/swanctl/swanctl.opt
View File

@ -910,6 +910,28 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
Netfilter mark applied to packets after the inbound IPsec SA processed them.
Netfilter mark applied to packets after the inbound IPsec SA processed them.
This way it's not necessary to mark packets via Netfilter before decryption
or right afterwards to match policies or process them differently (e.g. via
policy routing).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
Netfilter mark applied to packets after the outbound IPsec SA processed
them.
Netfilter mark applied to packets after the outbound IPsec SA processed
them. This allows processing ESP packets differently than the original
traffic (e.g. via policy routing).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
connections.<conn>.children.<child>.tfc_padding = 0
Traffic Flow Confidentiality padding.