kernel-netlink: Add support for setting mark/mask an SA should apply to processed...

author Tobias Brunner <tobias@strongswan.org>

Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 31 Aug 2018 10:24:30 +0000 (12:24 +0200)
author Tobias Brunner <tobias@strongswan.org>
Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 31 Aug 2018 10:24:30 +0000 (12:24 +0200)
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h

index dbaa4f1287b55ad59b2129361792bb718863c8f4..35261c9a5b1470f0fdd47332dc4d5ad390c01ac6 100644 (file)
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -302,8 +302,11 @@ enum xfrm_attr_type_t {
         XFRMA_ADDRESS_FILTER,   /* struct xfrm_address_filter */
         XFRMA_PAD,
         XFRMA_OFFLOAD_DEV,      /* struct xfrm_state_offload */
+       XFRMA_SET_MARK,         /* __u32 */
+       XFRMA_SET_MARK_MASK,    /* __u32 */
         __XFRMA_MAX
  
+#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK       /* Compatibility */
  #define XFRMA_MAX (__XFRMA_MAX - 1)
  };
  
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h

index 195c80cff47d656ac702ed7f72d86825f5f7ea23..4158eb45e81ce630b93036f1929ea4972a278e69 100644 (file)
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -1,6 +1,6 @@
  /*
   * Copyright (C) 2016 Andreas Steffen
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2018 Tobias Brunner
   * Copyright (C) 2006 Daniel Roethlisberger
   * Copyright (C) 2005-2006 Martin Willi
   * Copyright (C) 2005 Jan Hutter
@@ -93,6 +93,8 @@ struct kernel_ipsec_add_sa_t {
         bool encap;
         /** no (disabled), yes (enabled), auto (enabled if supported) */
         hw_offload_t hw_offload;
+       /** Mark the SA should apply to packets after processing */
+       mark_t mark;
         /** TRUE to use Extended Sequence Numbers */
         bool esn;
         /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 33e982d22fdbf4fb611fdcc6b523942725566679..1292e0895f6dbd8714538b9a16118e188bc41cf3 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1335,6 +1335,23 @@ static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
         return TRUE;
  }
  
+/**
+ * Add a uint32 attribute to message
+ */
+static bool add_uint32(struct nlmsghdr *hdr, int buflen,
+                                          enum xfrm_attr_type_t type, uint32_t value)
+{
+       uint32_t *xvalue;
+
+       xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue));
+       if (!xvalue)
+       {
+               return FALSE;
+       }
+       *xvalue = value;
+       return TRUE;
+}
+
  /**
   * Check if kernel supports HW offload
   */
@@ -1616,16 +1633,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                         case DSCP_COPY_IN_ONLY:
                         case DSCP_COPY_NO:
                         {
-                               uint32_t *xflags;
-
-                               xflags = netlink_reserve(hdr, sizeof(request),
-                                                                                XFRMA_SA_EXTRA_FLAGS, sizeof(*xflags));
-                               if (!xflags)
+                               /* currently the only extra flag */
+                               if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS,
+                                                               XFRM_SA_XFLAG_DONT_ENCAP_DSCP))
                                 {
                                         goto failed;
                                 }
-                               /* currently the only extra flag */
-                               *xflags |= XFRM_SA_XFLAG_DONT_ENCAP_DSCP;
                                 break;
                         }
                         default:
@@ -1876,17 +1889,23 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                 goto failed;
         }
  
+       if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
+       {
+               if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
+                                               data->mark.value) ||
+                       !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK,
+                                               data->mark.mask))
+               {
+                       goto failed;
+               }
+       }
+
         if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
         {       /* the kernel supports TFC padding only for tunnel mode ESP SAs */
-               uint32_t *tfcpad;
-
-               tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
-                                                                sizeof(*tfcpad));
-               if (!tfcpad)
+               if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc))
                 {
                         goto failed;
                 }
-               *tfcpad = data->tfc;
         }
  
         if (id->proto != IPPROTO_COMP)
author	Tobias Brunner <tobias@strongswan.org>
	Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 31 Aug 2018 10:24:30 +0000 (12:24 +0200)
src/include/linux/xfrm.h		patch \| blob \| blame \| history
src/libcharon/kernel/kernel_ipsec.h		patch \| blob \| blame \| history
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c		patch \| blob \| blame \| history