From 51c4b73f7a417ff56e27f913cd3254f549ead99a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 4 Oct 2021 18:52:22 +0100
Subject: [PATCH] IPsec: Replace MARK 50 by 0x00800000

This change is necessary because we are using the right-hand two bytes
for storing the QoS classes.

All IPsec traffic will now be skipped and never classified by the QoS.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/qos/makeqosscripts.pl        | 10 +++++-----
 src/initscripts/system/firewall     |  7 +++++--
 src/patches/strongswan-ipfire.patch | 12 ++++++------
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index b1bb637b35..fc8b8b84f1 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -61,6 +61,9 @@ my $QOS_INC_MASK = 0x0000ff00;
 my $QOS_INC_SHIFT = 8;
 my $QOS_OUT_MASK = 0x000000ff;
 my $QOS_OUT_SHIFT = 0;
+my $IPSEC_MASK = 0x00800000;
+my $QOS_INC_SKIP_MASK = $QOS_INC_MASK | $IPSEC_MASK;
+my $QOS_OUT_SKIP_MASK = $QOS_OUT_MASK | $IPSEC_MASK;
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
@@ -220,10 +223,7 @@ print <<END
 	iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
 
 	# If the packet is already marked, then skip the processing
-	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
-
-	### Don't change mark on traffic for the ipsec tunnel
-	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_SKIP_MASK -j RETURN
 
 	### SET TOS
 END
@@ -393,7 +393,7 @@ print <<END
 	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC
 
 	# If the packet is already marked, then skip the processing
-	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN
+	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_SKIP_MASK -j RETURN
 
 	### SET TOS
 END
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7a7d52d577..ce428393df 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,6 +14,9 @@ fi
 
 NAT_MASK="0x0f000000"
 
+IPSEC_MARK="0x00800000"
+IPSEC_MASK="${IPSEC_MARK}"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -376,8 +379,8 @@ iptables_red_up() {
 			iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
 		fi
 
-		# Outgoing masquerading (don't masqerade IPsec (mark 50))
-		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+		# Outgoing masquerading (don't masqerade IPsec)
+		iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
 
 		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 7071983b8c..17c40b025c 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -42,7 +42,7 @@
 +	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
  	# IPComp is used (for small inbound packets that are not compressed)
@@ -71,7 +71,7 @@
 +	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
  	#
  	# IPIP exception teardown
  	if [ -n "$PLUTO_IPCOMP" ]
@@ -97,7 +97,7 @@
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -117,7 +117,7 @@
 +	  iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
  	fi
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -194,7 +194,7 @@
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	         $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
@@ -217,7 +217,7 @@
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
-+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	         $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
  	fi
  	#
  	# IPIP exception teardown
-- 
2.39.5