From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 11 Oct 2013 13:33:06 +0000 (+0200)
Subject: Merge branch 'fwmarks'
X-Git-Tag: 5.1.1rc1~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ff63f153e5b551ee7ba0670ea4cc8b151432bc5;p=thirdparty%2Fstrongswan.git

Merge branch 'fwmarks'

Allows setting a mark on outbound packets and the routing rule
installed by charon.  With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.

The following example settings in strongswan.conf show how this can be
configured:

charon {
    plugins {
        kernel-netlink {
            fwmark = !0x42
        }
        socket-default {
            fwmark = 0x42
        }
        kernel-libipsec {
            allow_peer_ts = yes
        }
    }
}

To make it work it is necessary to set

  net.ipv4.conf.all.rp_filter

appropriately, otherwise the kernel drops the packets.

References #380.
---

1ff63f153e5b551ee7ba0670ea4cc8b151432bc5