child-cfg: Optionally set mark on inbound SA

diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index a102c459ce70f13dec9324604a2808a2a55628c1..93904ec71d6136807d60873a51a40ee1fd3f9f09 100644 (file)
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -310,6 +310,9 @@ enum child_cfg_option_t {
 
        /** Force 96-bit truncation for SHA-256 */
        OPT_SHA256_96 = (1<<6),
+
+       /** Set mark on inbound SAs */
+       OPT_MARK_IN_SA = (1<<7),
 };
 
 /**

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4133d9182e6b45bdadf2916f3ccc80f85832e064..91da4d3e602443cf7c3bd0949aba3a322070b42c 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -254,7 +254,7 @@ struct private_child_sa_t {
 };
 
 /**
- * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
+ * Convert an IKEv2 specific protocol identifier to the IP protocol identifier
  */
 static inline uint8_t proto_ike2ip(protocol_id_t protocol)
 {
@@ -269,6 +269,18 @@ static inline uint8_t proto_ike2ip(protocol_id_t protocol)
        }
 }
 
+/**
+ * Returns the mark to use on the inbound SA
+ */
+static inline mark_t mark_in_sa(private_child_sa_t *this)
+{
+       if (this->config->has_option(this->config, OPT_MARK_IN_SA))
+       {
+               return this->mark_in;
+       }
+       return (mark_t){};
+}
+
 METHOD(child_sa_t, get_name, char*,
           private_child_sa_t *this)
 {
@@ -525,6 +537,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
                                .dst = this->my_addr,
                                .spi = this->my_spi,
                                .proto = proto_ike2ip(this->protocol),
+                               .mark = mark_in_sa(this),
                        };
                        kernel_ipsec_query_sa_t query = {};
 
@@ -857,7 +870,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
                .dst = dst,
                .spi = spi,
                .proto = proto_ike2ip(this->protocol),
-               .mark = inbound ? (mark_t){} : this->mark_out,
+               .mark = inbound ? mark_in_sa(this) : this->mark_out,
        };
        sa = (kernel_ipsec_add_sa_t){
                .reqid = this->reqid,
@@ -1475,6 +1488,7 @@ METHOD(child_sa_t, update, status_t,
                                .dst = this->my_addr,
                                .spi = this->my_spi,
                                .proto = proto_ike2ip(this->protocol),
+                               .mark = mark_in_sa(this),
                        };
                        kernel_ipsec_update_sa_t sa = {
                                .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1660,6 +1674,7 @@ METHOD(child_sa_t, destroy, void,
                        .dst = this->my_addr,
                        .spi = this->my_spi,
                        .proto = proto_ike2ip(this->protocol),
+                       .mark = mark_in_sa(this),
                };
                kernel_ipsec_del_sa_t sa = {
                        .cpi = this->my_cpi,