vici: Make in-/outbound marks the SA should set configurable

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 7a66af1f4e572b8247e60c6300a9ffcd9df6aa5b..05fa8c5ca92db6dcfa781b645ee5f7914b12dcf6 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -528,6 +528,10 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
        DBG2(DBG_CFG, "   mark_out = %u/%u",
                 cfg->mark_out.value, cfg->mark_out.mask);
+       DBG2(DBG_CFG, "   set_mark_in = %u/%u",
+                cfg->set_mark_in.value, cfg->set_mark_in.mask);
+       DBG2(DBG_CFG, "   set_mark_out = %u/%u",
+                cfg->set_mark_out.value, cfg->set_mark_out.mask);
        DBG2(DBG_CFG, "   inactivity = %llu", cfg->inactivity);
        DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
        DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
@@ -1639,6 +1643,8 @@ CALLBACK(child_kv, bool,
                { "mark_in",                    parse_mark,                     &child->cfg.mark_in                                     },
                { "mark_in_sa",                 parse_opt_mark_in,      &child->cfg.options                                     },
                { "mark_out",                   parse_mark,                     &child->cfg.mark_out                            },
+               { "set_mark_in",                parse_mark,                     &child->cfg.set_mark_in                         },
+               { "set_mark_out",               parse_mark,                     &child->cfg.set_mark_out                        },
                { "tfc_padding",                parse_tfc,                      &child->cfg.tfc                                         },
                { "priority",                   parse_uint32,           &child->cfg.priority                            },
                { "interface",                  parse_string,           &child->cfg.interface                           },

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 3f67b938a1a939e448d973118a7824e03b4fc050..8cdd66c3fa1d60346b778aef8e01009130bf1087 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -910,6 +910,28 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
        An additional mask may be appended to the mark, separated by _/_. The
        default mask if omitted is 0xffffffff.
 
+connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
+       Netfilter mark applied to packets after the inbound IPsec SA processed them.
+
+       Netfilter mark applied to packets after the inbound IPsec SA processed them.
+       This way it's not necessary to mark packets via Netfilter before decryption
+       or right afterwards to match policies or process them differently (e.g. via
+       policy routing).
+
+       An additional mask may be appended to the mark, separated by _/_. The
+       default mask if omitted is 0xffffffff.
+
+connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
+       Netfilter mark applied to packets after the outbound IPsec SA processed
+       them.
+
+       Netfilter mark applied to packets after the outbound IPsec SA processed
+       them. This allows processing ESP packets differently than the original
+       traffic (e.g. via policy routing).
+
+       An additional mask may be appended to the mark, separated by _/_. The
+       default mask if omitted is 0xffffffff.
+
 connections.<conn>.children.<child>.tfc_padding = 0
        Traffic Flow Confidentiality padding.