From: Tobias Brunner Date: Tue, 12 Feb 2019 11:10:06 +0000 (+0100) Subject: vici: Make interface ID configurable X-Git-Tag: 5.8.0rc1~41^2~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18ed5a07db73624f5eadd93abfd6f02297899c23;p=thirdparty%2Fstrongswan.git vici: Make interface ID configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index f1ddde1b4e..5750d87411 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -528,6 +528,8 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " tfc = %d", cfg->tfc); DBG2(DBG_CFG, " priority = %d", cfg->priority); DBG2(DBG_CFG, " interface = %s", cfg->interface); + DBG2(DBG_CFG, " if_id_in = %u", cfg->if_id_in); + DBG2(DBG_CFG, " if_id_out = %u", cfg->if_id_out); DBG2(DBG_CFG, " mark_in = %u/%u", cfg->mark_in.value, cfg->mark_in.mask); DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); @@ -1220,6 +1222,21 @@ CALLBACK(parse_set_mark, bool, return mark_from_string(buf, MARK_OP_SAME, out); } +/** + * Parse interface ID + */ +CALLBACK(parse_if_id, bool, + uint32_t *out, chunk_t v) +{ + char buf[32]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + return if_id_from_string(buf, out); +} + /** * Parse TFC padding option */ @@ -1688,6 +1705,8 @@ CALLBACK(child_kv, bool, { "copy_df", parse_opt_copy_df, &child->cfg.options }, { "copy_ecn", parse_opt_copy_ecn, &child->cfg.options }, { "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp }, + { "if_id_in", parse_if_id, &child->cfg.if_id_in }, + { "if_id_out", parse_if_id, &child->cfg.if_id_out }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 7c71548d07..3f27fee55c 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -916,6 +916,24 @@ connections..children..mark_out = 0/0x00000000 An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections..children..if_id_in = 0 + Inbound XFRM interface ID. + + XFRM interface ID set on inbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the same + ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA + instance, beyond that the value _%unique-dir_ assigns a different unique + interface ID for each CHILD_SA direction (in/out). + +connections..children..if_id_out = 0 + Outbound XFRM interface ID. + + XFRM interface ID set on outbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the same + ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA + instance, beyond that the value _%unique-dir_ assigns a different unique + interface ID for each CHILD_SA direction (in/out). + connections..children..set_mark_in = 0/0x00000000 Netfilter mark applied to packets after the inbound IPsec SA processed them.