From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 29 Aug 2016 14:39:18 +0000 (+0200)
Subject: kernel-netlink: Pass zero mark to kernel if mask is set
X-Git-Tag: 5.5.1rc1~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=33d3ffde25d5354ec36c26b764ab36179ef0fb34;p=thirdparty%2Fstrongswan.git

kernel-netlink: Pass zero mark to kernel if mask is set

The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark.  So to match only unmarked packets we
have to be able to set 0/0xffffffff.
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 6b06c269b3..f3846ec075 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1245,7 +1245,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
  */
 static void format_mark(char *buf, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
 	}
@@ -1256,7 +1256,7 @@ static void format_mark(char *buf, int buflen, mark_t mark)
  */
 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		struct xfrm_mark *xmrk;