aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2016-11-11 10:40:53 +0100
committerTobias Brunner <tobias@strongswan.org>2017-02-16 19:23:31 +0100
commit44fcc83310ed7a032d2cf0fa315f3f7bd36c0f69 (patch)
treed75fcf8aeb5bd93d9b1f09559d75c9d5ac130d3b /src
parentd460ab2bff5c49cc2e5fbffe79f59d9a1d9918a6 (diff)
downloadstrongswan-44fcc83310ed7a032d2cf0fa315f3f7bd36c0f69.tar.bz2
strongswan-44fcc83310ed7a032d2cf0fa315f3f7bd36c0f69.tar.xz
vici: Add missing dscp setting for IKE_SAs
Fixes #2170.
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/plugins/vici/vici_config.c44
-rw-r--r--src/swanctl/swanctl.opt8
2 files changed, 47 insertions, 5 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2110fd31d..ff706be46 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -295,6 +295,7 @@ typedef struct {
uint64_t rekey_time;
uint64_t over_time;
uint64_t rand_time;
+ uint8_t dscp;
} peer_data_t;
/**
@@ -370,6 +371,7 @@ static void log_peer_data(peer_data_t *data)
DBG2(DBG_CFG, " send_cert = %N", cert_policy_names, data->send_cert);
DBG2(DBG_CFG, " mobike = %u", data->mobike);
DBG2(DBG_CFG, " aggressive = %u", data->aggressive);
+ DBG2(DBG_CFG, " dscp = 0x%.2x", data->dscp);
DBG2(DBG_CFG, " encap = %u", data->encap);
DBG2(DBG_CFG, " dpd_delay = %llu", data->dpd_delay);
DBG2(DBG_CFG, " dpd_timeout = %llu", data->dpd_timeout);
@@ -814,10 +816,9 @@ CALLBACK(parse_action, bool,
}
/**
- * Parse a uint32_t
+ * Parse a uint32_t with the given base
*/
-CALLBACK(parse_uint32, bool,
- uint32_t *out, chunk_t v)
+static bool parse_uint32_base(uint32_t *out, chunk_t v, int base)
{
char buf[16], *end;
u_long l;
@@ -826,7 +827,7 @@ CALLBACK(parse_uint32, bool,
{
return FALSE;
}
- l = strtoul(buf, &end, 0);
+ l = strtoul(buf, &end, base);
if (*end == 0)
{
*out = l;
@@ -836,6 +837,24 @@ CALLBACK(parse_uint32, bool,
}
/**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+ uint32_t *out, chunk_t v)
+{
+ return parse_uint32_base(out, v, 0);
+}
+
+/**
+ * Parse a uint32_t in binary encoding
+ */
+CALLBACK(parse_uint32_bin, bool,
+ uint32_t *out, chunk_t v)
+{
+ return parse_uint32_base(out, v, 2);
+}
+
+/**
* Parse a uint64_t
*/
CALLBACK(parse_uint64, bool,
@@ -984,6 +1003,20 @@ CALLBACK(parse_tfc, bool,
}
/**
+ * Parse 6-bit DSCP value
+ */
+CALLBACK(parse_dscp, bool,
+ uint8_t *out, chunk_t v)
+{
+ if (parse_uint32_bin(out, v))
+ {
+ *out = *out & 0x3f;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
* Parse authentication config
*/
CALLBACK(parse_auth, bool,
@@ -1417,6 +1450,7 @@ CALLBACK(peer_kv, bool,
{ "version", parse_uint32, &peer->version },
{ "aggressive", parse_bool, &peer->aggressive },
{ "pull", parse_bool, &peer->pull },
+ { "dscp", parse_dscp, &peer->dscp },
{ "encap", parse_bool, &peer->encap },
{ "mobike", parse_bool, &peer->mobike },
{ "dpd_delay", parse_time, &peer->dpd_delay },
@@ -2085,7 +2119,7 @@ CALLBACK(config_sn, bool,
ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap,
peer.local_addrs, peer.local_port,
peer.remote_addrs, peer.remote_port,
- peer.fragmentation, 0);
+ peer.fragmentation, peer.dscp);
cfg = (peer_cfg_create_t){
.cert_policy = peer.send_cert,
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index a7d6d9fc3..e882e60ba 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -102,6 +102,14 @@ connections.<conn>.pull = yes
Push mode is currently supported for IKEv1, but not in IKEv2. It is used
by a few implementations only, pull mode is recommended.
+connections.<conn>.dscp = 000000
+ Differentiated Services Field Codepoint to set on outgoing IKE packets (six
+ binary digits).
+
+ Differentiated Services Field Codepoint to set on outgoing IKE packets for
+ this connection. The value is a six digit binary encoded string specifying
+ the Codepoint to set, as defined in RFC 2474.
+
connections.<conn>.encap = no
Enforce UDP encapsulation by faking NAT-D payloads.