diff options
| author | Eyal Birger <eyal.birger@gmail.com> | 2017-07-28 12:18:52 +0300 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-08-07 14:22:27 +0200 |
| commit | 32e5c49234ce4af2ef375e3f1750fdb90f813905 (patch) | |
| tree | 67f49109d2d7884abbe3a4d74235487754210546 /src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c | |
| parent | 00498d78a81f1fcd344b1eb13461f1ed4e00bf01 (diff) | |
| download | strongswan-32e5c49234ce4af2ef375e3f1750fdb90f813905.tar.bz2 strongswan-32e5c49234ce4af2ef375e3f1750fdb90f813905.tar.xz | |
child-sa: Allow requesting different unique marks for in/out
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78.
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c')
0 files changed, 0 insertions, 0 deletions