vici: Include the Netfilter marks in listed CHILD_SAs

2 files changed, 19 insertions, 0 deletions

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 18a3ef7b5..4e53d7cc9 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -689,6 +689,10 @@ command.
 					spi-out = <hex encoded outbound SPI>
 					cpi-in = <hex encoded inbound CPI, if using compression>
 					cpi-out = <hex encoded outbound CPI, if using compression>
+					mark-in = <hex encoded inbound Netfilter mark value>
+					mark-mask-in = <hex encoded inbound Netfilter mark mask>
+					mark-out = <hex encoded outbound Netfilter mark value>
+					mark-mask-out = <hex encoded outbound Netfilter mark mask>
 					encr-alg = <ESP encryption algorithm name, if any>
 					encr-keysize = <ESP encryption key size, if applicable>
 					integ-alg = <ESP or AH integrity algorithm name, if any>
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 828b61927..e3a16f5ea 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -79,6 +79,19 @@ struct private_vici_query_t {
 	time_t uptime;
 };
 
+static void add_mark(vici_builder_t *b, mark_t mark,
+					 char *label, char *mask_label)
+{
+	if (mark.value | mark.mask)
+	{
+		b->add_kv(b, label, "%.8x", mark.value);
+		if (~mark.mask)
+		{
+			b->add_kv(b, mask_label, "%.8x", mark.mask);
+		}
+	}
+}
+
 /**
  * List details of a CHILD_SA
  */
@@ -114,6 +127,8 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 			b->add_kv(b, "cpi-in", "%.4x", ntohs(child->get_cpi(child, TRUE)));
 			b->add_kv(b, "cpi-out", "%.4x", ntohs(child->get_cpi(child, FALSE)));
 		}
+		add_mark(b, child->get_mark(child, TRUE), "mark-in", "mark-mask-in");
+		add_mark(b, child->get_mark(child, FALSE), "mark-out", "mark-mask-out");
 		proposal = child->get_proposal(child);
 		if (proposal)
 		{