From: Martin Willi Date: Mon, 17 Nov 2014 10:59:38 +0000 (+0100) Subject: ipsec-types: Support the %unique mark value X-Git-Tag: 5.3.0dr1~76^2~5 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=cc1682bef9ea9c53348bad4d2fa610a900e7be65;p=thirdparty%2Fstrongswan.git ipsec-types: Support the %unique mark value --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index f84e3313ec..851bd17503 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -987,7 +987,9 @@ sets an XFRM mark in the inbound and outbound IPsec SAs and policies. If the mask is missing then a default mask of .B 0xffffffff -is assumed. +is assumed. The special value +.B %unique +assigns a unique value to each newly created IPsec SA. .TP .BR mark_in " = [/]" sets an XFRM mark in the inbound IPsec SA and diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c index 4bbd918a01..f2ee11ee85 100644 --- a/src/libstrongswan/ipsec/ipsec_types.c +++ b/src/libstrongswan/ipsec/ipsec_types.c @@ -48,7 +48,15 @@ bool mark_from_string(const char *value, mark_t *mark) { return FALSE; } - mark->value = strtoul(value, &endptr, 0); + if (strcasepfx(value, "%unique")) + { + mark->value = MARK_UNIQUE; + endptr = (char*)value + strlen("%unique"); + } + else + { + mark->value = strtoul(value, &endptr, 0); + } if (*endptr) { if (*endptr != '/') diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 5880045626..01ff48e76d 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -622,9 +622,10 @@ connections..children..reqid = 0 connections..children..mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may apply - marks to each packet coming from a tunnel having that option set. The - mark may then be used by Netfilter to match rules. + Netfilter mark and mask for input traffic. On Linux Netfilter may require + marks on each packet to match an SA having that option set. This allows + Netfilter rules to select specific tunnels for incoming traffic. The + special value _%unique_ sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -634,7 +635,8 @@ connections..children..mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. On Linux Netfilter may require marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. + Netfilter rules to select specific tunnels for outgoing traffic. The + special value _%unique_ sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff.