{
child_cfg_create_t *cfg = &data->cfg;
+#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); })
DBG2(DBG_CFG, " child %s:", name);
DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey);
DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life);
DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life);
DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter);
DBG2(DBG_CFG, " updown = %s", cfg->updown);
- DBG2(DBG_CFG, " hostaccess = %u", cfg->options & OPT_HOSTACCESS);
- DBG2(DBG_CFG, " ipcomp = %u", cfg->options & OPT_IPCOMP);
+ DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS));
+ DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP));
DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode,
- cfg->options & OPT_PROXY_MODE ? "_PROXY" : "");
+ has_opt(OPT_PROXY_MODE) ? "_PROXY" : "");
DBG2(DBG_CFG, " policies = %u", data->policies);
- DBG2(DBG_CFG, " policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES);
+ DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES));
if (data->replay_window != REPLAY_UNDEFINED)
{
DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
DBG2(DBG_CFG, " interface = %s", cfg->interface);
DBG2(DBG_CFG, " mark_in = %u/%u",
cfg->mark_in.value, cfg->mark_in.mask);
+ DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
DBG2(DBG_CFG, " mark_out = %u/%u",
cfg->mark_out.value, cfg->mark_out.mask);
DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts);
- DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD);
- DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96);
+ DBG2(DBG_CFG, " hw_offload = %u", has_opt(OPT_HW_OFFLOAD));
+ DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96));
}
/**
}
/**
- * Parse OPT_FWD_OUT_POLICIES option
+ * Parse OPT_IPCOMP option
*/
CALLBACK(parse_opt_ipcomp, bool,
child_cfg_option_t *out, chunk_t v)
return parse_option(out, OPT_SHA256_96, v);
}
+/**
+ * Parse OPT_MARK_IN_SA option
+ */
+CALLBACK(parse_opt_mark_in, bool,
+ child_cfg_option_t *out, chunk_t v)
+{
+ return parse_option(out, OPT_MARK_IN_SA, v);
+}
+
/**
* Parse an action_t
*/
{ "inactivity", parse_time, &child->cfg.inactivity },
{ "reqid", parse_uint32, &child->cfg.reqid },
{ "mark_in", parse_mark, &child->cfg.mark_in },
+ { "mark_in_sa", parse_opt_mark_in, &child->cfg.options },
{ "mark_out", parse_mark, &child->cfg.mark_out },
{ "tfc_padding", parse_tfc, &child->cfg.tfc },
{ "priority", parse_uint32, &child->cfg.priority },
connections.<conn>.children.<child>.mark_in = 0/0x00000000
Netfilter mark and mask for input traffic.
- Netfilter mark and mask for input traffic. On Linux Netfilter may require
- marks on each packet to match an SA having that option set. This allows
- Netfilter rules to select specific tunnels for incoming traffic. The
- special value _%unique_ sets a unique mark on each CHILD_SA instance,
- beyond that the value _%unique-dir_ assigns a different unique mark for each
+ Netfilter mark and mask for input traffic. On Linux, Netfilter may require
+ marks on each packet to match an SA/policy having that option set. This
+ allows installing duplicate policies and enables Netfilter rules to select
+ specific SAs/policies for incoming traffic. Note that inbound marks are
+ only set on policies, by default, unless *mark_in_sa* is enabled. The
+ special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond
+ that the value _%unique-dir_ assigns a different unique mark for each
CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
+connections.<conn>.children.<child>.mark_in_sa = no
+ Whether to set *mark_in* on the inbound SA.
+
+ Whether to set *mark_in* on the inbound SA. By default, the inbound mark is
+ only set on the inbound policy. The tuple destination address, protocol and
+ SPI is unique and the mark is not required to find the correct SA, allowing
+ to mark traffic after decryption instead (where more specific selectors may
+ be used) to match different policies. Marking packets before decryption is
+ still possible, even if no mark is set on the SA.
+
connections.<conn>.children.<child>.mark_out = 0/0x00000000
Netfilter mark and mask for output traffic.
- Netfilter mark and mask for output traffic. On Linux Netfilter may require
- marks on each packet to match a policy having that option set. This allows
- Netfilter rules to select specific tunnels for outgoing traffic. The
- special value _%unique_ sets a unique mark on each CHILD_SA instance,
- beyond that the value _%unique-dir_ assigns a different unique mark for each
- CHILD_SA direction (in/out).
+ Netfilter mark and mask for output traffic. On Linux, Netfilter may require
+ marks on each packet to match a policy/SA having that option set. This
+ allows installing duplicate policies and enables Netfilter rules to select
+ specific policies/SAs for outgoing traffic. The special value _%unique_ sets
+ a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_
+ assigns a different unique mark for each CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
projects / thirdparty / strongswan.git / commitdiff
