vici: Add missing dscp setting for IKE_SAs

Fixes #2170.

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2110fd31d0cd1ca60673dcbe550a69276a03cb34..ff706be464eadc4db13b4cf8569dd345400b669a 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -295,6 +295,7 @@ typedef struct {
        uint64_t rekey_time;
        uint64_t over_time;
        uint64_t rand_time;
+       uint8_t dscp;
 } peer_data_t;
 
 /**
@@ -370,6 +371,7 @@ static void log_peer_data(peer_data_t *data)
        DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
        DBG2(DBG_CFG, "  mobike = %u", data->mobike);
        DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
+       DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
        DBG2(DBG_CFG, "  encap = %u", data->encap);
        DBG2(DBG_CFG, "  dpd_delay = %llu", data->dpd_delay);
        DBG2(DBG_CFG, "  dpd_timeout = %llu", data->dpd_timeout);
@@ -814,10 +816,9 @@ CALLBACK(parse_action, bool,
 }
 
 /**
- * Parse a uint32_t
+ * Parse a uint32_t with the given base
  */
-CALLBACK(parse_uint32, bool,
-       uint32_t *out, chunk_t v)
+static bool parse_uint32_base(uint32_t *out, chunk_t v, int base)
 {
        char buf[16], *end;
        u_long l;
@@ -826,7 +827,7 @@ CALLBACK(parse_uint32, bool,
        {
                return FALSE;
        }
-       l = strtoul(buf, &end, 0);
+       l = strtoul(buf, &end, base);
        if (*end == 0)
        {
                *out = l;
@@ -835,6 +836,24 @@ CALLBACK(parse_uint32, bool,
        return FALSE;
 }
 
+/**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+       uint32_t *out, chunk_t v)
+{
+       return parse_uint32_base(out, v, 0);
+}
+
+/**
+ * Parse a uint32_t in binary encoding
+ */
+CALLBACK(parse_uint32_bin, bool,
+       uint32_t *out, chunk_t v)
+{
+       return parse_uint32_base(out, v, 2);
+}
+
 /**
  * Parse a uint64_t
  */
@@ -983,6 +1002,20 @@ CALLBACK(parse_tfc, bool,
        return parse_uint32(out, v);
 }
 
+/**
+ * Parse 6-bit DSCP value
+ */
+CALLBACK(parse_dscp, bool,
+       uint8_t *out, chunk_t v)
+{
+       if (parse_uint32_bin(out, v))
+       {
+               *out = *out & 0x3f;
+               return TRUE;
+       }
+       return FALSE;
+}
+
 /**
  * Parse authentication config
  */
@@ -1417,6 +1450,7 @@ CALLBACK(peer_kv, bool,
                { "version",            parse_uint32,           &peer->version                          },
                { "aggressive",         parse_bool,                     &peer->aggressive                       },
                { "pull",                       parse_bool,                     &peer->pull                                     },
+               { "dscp",                       parse_dscp,                     &peer->dscp                                     },
                { "encap",                      parse_bool,                     &peer->encap                            },
                { "mobike",                     parse_bool,                     &peer->mobike                           },
                { "dpd_delay",          parse_time,                     &peer->dpd_delay                        },
@@ -2085,7 +2119,7 @@ CALLBACK(config_sn, bool,
        ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap,
                                                peer.local_addrs, peer.local_port,
                                                peer.remote_addrs, peer.remote_port,
-                                               peer.fragmentation, 0);
+                                               peer.fragmentation, peer.dscp);
 
        cfg = (peer_cfg_create_t){
                .cert_policy = peer.send_cert,

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index a7d6d9fc3c0cace6c0e71214955e4edd7c573162..e882e60ba538a6a6177338e0621abd90dfe9e65f 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -102,6 +102,14 @@ connections.<conn>.pull = yes
        Push mode is currently supported for IKEv1, but not in IKEv2. It is used
        by a few implementations only, pull mode is recommended.
 
+connections.<conn>.dscp = 000000
+       Differentiated Services Field Codepoint to set on outgoing IKE packets (six
+       binary digits).
+
+       Differentiated Services Field Codepoint to set on outgoing IKE packets for
+       this connection. The value is a six digit binary encoded string specifying
+       the Codepoint to set, as defined in RFC 2474.
+
 connections.<conn>.encap = no
        Enforce UDP encapsulation by faking NAT-D payloads.