connmark: Ignore per-CPU CHILD_SAs

The combination probably doesn't make much sense.

The OUTPUT rules would definitely only be required once, while the INPUT
and PREROUTING rules list individual SPIs and/or UDP ports, which would
be necessary for all SAs.

By the way, the rules in PREROUTING might actually not be necessary
anymore if the set_mark_in option was used for such SAs.

diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index 48731af611d8d9540cafd7c8ee049aab4cf3819c..7a6d3d46616eb58a9ce69c99e4014a8cc54310c9 100644 (file)
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -432,7 +432,8 @@ static bool handle_sa(child_sa_t *child_sa)
        return child_sa->get_mark(child_sa, TRUE).value &&
                   child_sa->get_mark(child_sa, FALSE).value &&
                   child_sa->get_mode(child_sa) == MODE_TRANSPORT &&
-                  child_sa->get_protocol(child_sa) == PROTO_ESP;
+                  child_sa->get_protocol(child_sa) == PROTO_ESP &&
+                  !child_sa->use_per_cpu(child_sa);
 }
 
 METHOD(listener_t, child_updown, bool,