vici: Add missing dscp setting for IKE_SAs

Fixes #2170.

2 files changed, 47 insertions, 5 deletions

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2110fd31d..ff706be46 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -295,6 +295,7 @@ typedef struct {
 	uint64_t rekey_time;
 	uint64_t over_time;
 	uint64_t rand_time;
+	uint8_t dscp;
 } peer_data_t;
 
 /**
@@ -370,6 +371,7 @@ static void log_peer_data(peer_data_t *data)
 	DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
 	DBG2(DBG_CFG, "  mobike = %u", data->mobike);
 	DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
+	DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
 	DBG2(DBG_CFG, "  encap = %u", data->encap);
 	DBG2(DBG_CFG, "  dpd_delay = %llu", data->dpd_delay);
 	DBG2(DBG_CFG, "  dpd_timeout = %llu", data->dpd_timeout);
@@ -814,10 +816,9 @@ CALLBACK(parse_action, bool,
 }
 
 /**
- * Parse a uint32_t
+ * Parse a uint32_t with the given base
  */
-CALLBACK(parse_uint32, bool,
-	uint32_t *out, chunk_t v)
+static bool parse_uint32_base(uint32_t *out, chunk_t v, int base)
 {
 	char buf[16], *end;
 	u_long l;
@@ -826,7 +827,7 @@ CALLBACK(parse_uint32, bool,
 	{
 		return FALSE;
 	}
-	l = strtoul(buf, &end, 0);
+	l = strtoul(buf, &end, base);
 	if (*end == 0)
 	{
 		*out = l;
@@ -836,6 +837,24 @@ CALLBACK(parse_uint32, bool,
 }
 
 /**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+	uint32_t *out, chunk_t v)
+{
+	return parse_uint32_base(out, v, 0);
+}
+
+/**
+ * Parse a uint32_t in binary encoding
+ */
+CALLBACK(parse_uint32_bin, bool,
+	uint32_t *out, chunk_t v)
+{
+	return parse_uint32_base(out, v, 2);
+}
+
+/**
  * Parse a uint64_t
  */
 CALLBACK(parse_uint64, bool,
@@ -984,6 +1003,20 @@ CALLBACK(parse_tfc, bool,
 }
 
 /**
+ * Parse 6-bit DSCP value
+ */
+CALLBACK(parse_dscp, bool,
+	uint8_t *out, chunk_t v)
+{
+	if (parse_uint32_bin(out, v))
+	{
+		*out = *out & 0x3f;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse authentication config
  */
 CALLBACK(parse_auth, bool,
@@ -1417,6 +1450,7 @@ CALLBACK(peer_kv, bool,
 		{ "version",		parse_uint32,		&peer->version				},
 		{ "aggressive",		parse_bool,			&peer->aggressive			},
 		{ "pull",			parse_bool,			&peer->pull					},
+		{ "dscp",			parse_dscp,			&peer->dscp					},
 		{ "encap",			parse_bool,			&peer->encap				},
 		{ "mobike",			parse_bool,			&peer->mobike				},
 		{ "dpd_delay",		parse_time,			&peer->dpd_delay			},
@@ -2085,7 +2119,7 @@ CALLBACK(config_sn, bool,
 	ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap,
 						peer.local_addrs, peer.local_port,
 						peer.remote_addrs, peer.remote_port,
-						peer.fragmentation, 0);
+						peer.fragmentation, peer.dscp);
 
 	cfg = (peer_cfg_create_t){
 		.cert_policy = peer.send_cert,
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index a7d6d9fc3..e882e60ba 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -102,6 +102,14 @@ connections.<conn>.pull = yes
 	Push mode is currently supported for IKEv1, but not in IKEv2. It is used
 	by a few implementations only, pull mode is recommended.
 
+connections.<conn>.dscp = 000000
+	Differentiated Services Field Codepoint to set on outgoing IKE packets (six
+	binary digits).
+
+	Differentiated Services Field Codepoint to set on outgoing IKE packets for
+	this connection. The value is a six digit binary encoded string specifying
+	the Codepoint to set, as defined in RFC 2474.
+
 connections.<conn>.encap = no
 	Enforce UDP encapsulation by faking NAT-D payloads.