From: Martin Willi <martin@strongswan.org>
Date: Mon, 14 May 2018 10:55:27 +0000 (+0200)
Subject: vici: Document kernel requirements for set_mark_in/set_mark_out options
X-Git-Tag: 5.7.0rc1~28^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9aacf9adc96b11c6cd140e4e43a781a5c7a6304;p=thirdparty%2Fstrongswan.git

vici: Document kernel requirements for set_mark_in/set_mark_out options
---

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 8cdd66c3fa..79655ed357 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -921,6 +921,8 @@ connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
 	An additional mask may be appended to the mark, separated by _/_. The
 	default mask if omitted is 0xffffffff.
 
+	Setting marks in XFRM input requires Linux 4.19 or higher.
+
 connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
 	Netfilter mark applied to packets after the outbound IPsec SA processed
 	them.
@@ -932,6 +934,9 @@ connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
 	An additional mask may be appended to the mark, separated by _/_. The
 	default mask if omitted is 0xffffffff.
 
+	Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+	requires at least Linux 4.19.
+
 connections.<conn>.children.<child>.tfc_padding = 0
 	Traffic Flow Confidentiality padding.