vici: Make interface ID configurable

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index f1ddde1b4e45de0e7b14947a35894abe380a805b..5750d8741113fbb8e1f6f619daa371d1ec282588 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -528,6 +528,8 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   tfc = %d", cfg->tfc);
        DBG2(DBG_CFG, "   priority = %d", cfg->priority);
        DBG2(DBG_CFG, "   interface = %s", cfg->interface);
+       DBG2(DBG_CFG, "   if_id_in = %u", cfg->if_id_in);
+       DBG2(DBG_CFG, "   if_id_out = %u", cfg->if_id_out);
        DBG2(DBG_CFG, "   mark_in = %u/%u",
                 cfg->mark_in.value, cfg->mark_in.mask);
        DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
@@ -1220,6 +1222,21 @@ CALLBACK(parse_set_mark, bool,
        return mark_from_string(buf, MARK_OP_SAME, out);
 }
 
+/**
+ * Parse interface ID
+ */
+CALLBACK(parse_if_id, bool,
+       uint32_t *out, chunk_t v)
+{
+       char buf[32];
+
+       if (!vici_stringify(v, buf, sizeof(buf)))
+       {
+               return FALSE;
+       }
+       return if_id_from_string(buf, out);
+}
+
 /**
  * Parse TFC padding option
  */
@@ -1688,6 +1705,8 @@ CALLBACK(child_kv, bool,
                { "copy_df",                    parse_opt_copy_df,      &child->cfg.options                                     },
                { "copy_ecn",                   parse_opt_copy_ecn,     &child->cfg.options                                     },
                { "copy_dscp",                  parse_copy_dscp,        &child->cfg.copy_dscp                           },
+               { "if_id_in",                   parse_if_id,            &child->cfg.if_id_in                            },
+               { "if_id_out",                  parse_if_id,            &child->cfg.if_id_out                           },
        };
 
        return parse_rules(rules, countof(rules), name, value,

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 7c71548d07d601bf3151c382d16b507970fe6efc..3f27fee55cd16e66283a422e76c7f90391089080 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -916,6 +916,24 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
        An additional mask may be appended to the mark, separated by _/_. The
        default mask if omitted is 0xffffffff.
 
+connections.<conn>.children.<child>.if_id_in = 0
+       Inbound XFRM interface ID.
+
+       XFRM interface ID set on inbound policies/SA. This allows installing
+       duplicate policies/SAs and associates them with an interface with the same
+       ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA
+       instance, beyond that the value _%unique-dir_ assigns a different unique
+       interface ID for each CHILD_SA direction (in/out).
+
+connections.<conn>.children.<child>.if_id_out = 0
+       Outbound XFRM interface ID.
+
+       XFRM interface ID set on outbound policies/SA. This allows installing
+       duplicate policies/SAs and associates them with an interface with the same
+       ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA
+       instance, beyond that the value _%unique-dir_ assigns a different unique
+       interface ID for each CHILD_SA direction (in/out).
+
 connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
        Netfilter mark applied to packets after the inbound IPsec SA processed them.