configuration of different marks for inbound and outbound direction

10 files changed, 40 insertions, 22 deletions

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index d3f688a5d..70f38b285 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -539,7 +539,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  ipsec_mode_t mode, action_t dpd_action,
 							  action_t close_action, bool ipcomp,
 							  u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark)
+							  mark_t *mark_in, mark_t *mark_out)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
 
@@ -576,16 +576,21 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 	this->inactivity = inactivity;
 	this->reqid = reqid;
 
-	/* TODO configure separate inbound and outbound marks */
-	if (mark)
+	if (mark_in)
 	{
-		this->mark_in  = *mark;
-		this->mark_out = *mark;
+		this->mark_in = *mark_in;
+	}
+	else
+	{
+		this->mark_in.value = 0;
+		this->mark_in.mask  = 0;
+	}
+	if (mark_out)
+	{
+		this->mark_out = *mark_out;
 	}
 	else
 	{
-		this->mark_in.value  = 0;
-		this->mark_in.mask   = 0;
 		this->mark_out.value = 0;
 		this->mark_out.mask  = 0;
 	}
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index a40191829..d34835ead 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -326,7 +326,8 @@ struct child_cfg_t {
  * @param ipcomp			use IPComp, if peer supports it
  * @param inactivity		inactivity timeout in s before closing a CHILD_SA
  * @param reqid				specific reqid to use for CHILD_SA, 0 for auto assign
- * @param mark				optional mark (can be NULL)
+ * @param mark_in			optional inbound mark (can be NULL)
+ * @param mark_out			optional outbound mark (can be NULL)
  * @return					child_cfg_t object
  */
 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
@@ -334,6 +335,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  ipsec_mode_t mode, action_t dpd_action,
 							  action_t close_action, bool ipcomp,
 							  u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark);
+							  mark_t *mark_in, mark_t *mark_out);
 
 #endif /** CHILD_CFG_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 80d068c1f..538c4a9a2 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -291,7 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this)
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index e2807c08f..89daa4fc4 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -234,7 +234,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
 	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
-					 			 ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+					 			 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 528c9a31b..a230aa3f5 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
 	}
 
-	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
-					MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index e57491044..6cbaf36f2 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -182,7 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	this->current->add_auth_cfg(this->current, auth, FALSE);
 
 	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index 20e6c1529..07318bbbf 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
 	child_cfg = child_cfg_create(priv->name, &lifetime,
 								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, NULL);
+								 ACTION_NONE, ACTION_NONE, ipcomp, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index d9964cea8..a47d93f7b 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
 			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
 		};
 		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-									 dpd, close, ipcomp, 0, 0, NULL);
+									 dpd, close, ipcomp, 0, 0, NULL, NULL);
 		/* TODO: read proposal from db */
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 		add_traffic_selectors(this, child_cfg, id);
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index ded7ac4f5..4697e5f5a 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -768,9 +768,13 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
 		}
 	};
-	mark_t mark = {
-		.value = msg->add_conn.mark.value,
-		.mask = msg->add_conn.mark.mask
+	mark_t mark_in = {
+		.value = msg->add_conn.mark_in.value,
+		.mask = msg->add_conn.mark_in.mask
+	};
+	mark_t mark_out = {
+		.value = msg->add_conn.mark_out.value,
+		.mask = msg->add_conn.mark_out.mask
 	};
 
 	switch (msg->add_conn.dpd.action)
@@ -790,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
 				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
-				msg->add_conn.inactivity, msg->add_conn.reqid, &mark);
+				msg->add_conn.inactivity, msg->add_conn.reqid,
+				&mark_in, &mark_out);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index ba93d8734..ddddae782 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
 		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-									 ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+									 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+									 NULL, NULL);
 		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
 		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
 		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));