diff options
| -rw-r--r-- | src/libcharon/config/child_cfg.c | 19 | ||||
| -rw-r--r-- | src/libcharon/config/child_cfg.h | 5 | ||||
| -rw-r--r-- | src/libcharon/plugins/android/android_service.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/ha/ha_tunnel.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_config.c | 5 | ||||
| -rw-r--r-- | src/libcharon/plugins/medcli/medcli_config.c | 6 | ||||
| -rw-r--r-- | src/libcharon/plugins/nm/nm_service.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/sql/sql_config.c | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 13 | ||||
| -rw-r--r-- | src/libcharon/plugins/uci/uci_config.c | 3 | ||||
| -rw-r--r-- | src/starter/args.c | 2 | ||||
| -rw-r--r-- | src/starter/confread.c | 74 | ||||
| -rw-r--r-- | src/starter/confread.h | 11 | ||||
| -rw-r--r-- | src/starter/keywords.h | 4 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 2 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 6 | ||||
| -rw-r--r-- | src/stroke/stroke_msg.h | 2 |
17 files changed, 108 insertions, 55 deletions
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index d3f688a5d..70f38b285 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -539,7 +539,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, u_int32_t inactivity, u_int32_t reqid, - mark_t *mark) + mark_t *mark_in, mark_t *mark_out) { private_child_cfg_t *this = malloc_thing(private_child_cfg_t); @@ -576,16 +576,21 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, this->inactivity = inactivity; this->reqid = reqid; - /* TODO configure separate inbound and outbound marks */ - if (mark) + if (mark_in) { - this->mark_in = *mark; - this->mark_out = *mark; + this->mark_in = *mark_in; + } + else + { + this->mark_in.value = 0; + this->mark_in.mask = 0; + } + if (mark_out) + { + this->mark_out = *mark_out; } else { - this->mark_in.value = 0; - this->mark_in.mask = 0; this->mark_out.value = 0; this->mark_out.mask = 0; } diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index a40191829..d34835ead 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -326,7 +326,8 @@ struct child_cfg_t { * @param ipcomp use IPComp, if peer supports it * @param inactivity inactivity timeout in s before closing a CHILD_SA * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign - * @param mark optional mark (can be NULL) + * @param mark_in optional inbound mark (can be NULL) + * @param mark_out optional outbound mark (can be NULL) * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, @@ -334,6 +335,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, u_int32_t inactivity, u_int32_t reqid, - mark_t *mark); + mark_t *mark_in, mark_t *mark_out); #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index 80d068c1f..538c4a9a2 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -291,7 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index e2807c08f..89daa4fc4 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -234,7 +234,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 528c9a31b..a230aa3f5 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num); } - child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, - MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index e57491044..6cbaf36f2 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -182,7 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 20e6c1529..07318bbbf 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index d9964cea8..a47d93f7b 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, - dpd, close, ipcomp, 0, 0, NULL); + dpd, close, ipcomp, 0, 0, NULL, NULL); /* TODO: read proposal from db */ child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); add_traffic_selectors(this, child_cfg, id); diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index ded7ac4f5..4697e5f5a 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -768,9 +768,13 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 } }; - mark_t mark = { - .value = msg->add_conn.mark.value, - .mask = msg->add_conn.mark.mask + mark_t mark_in = { + .value = msg->add_conn.mark_in.value, + .mask = msg->add_conn.mark_in.mask + }; + mark_t mark_out = { + .value = msg->add_conn.mark_out.value, + .mask = msg->add_conn.mark_out.mask }; switch (msg->add_conn.dpd.action) @@ -790,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, - msg->add_conn.inactivity, msg->add_conn.reqid, &mark); + msg->add_conn.inactivity, msg->add_conn.reqid, + &mark_in, &mark_out); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index ba93d8734..ddddae782 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/starter/args.c b/src/starter/args.c index 4fe9c9d27..ab6b60509 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -236,6 +236,8 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL }, { ARG_UINT, offsetof(starter_conn_t, reqid), NULL }, { ARG_MISC, 0, NULL /* KW_MARK */ }, + { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, + { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 6ebdaf58b..399e17844 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end, } } +static bool handle_mark(char *value, mark_t *mark) +{ + char *pos, *endptr; + + pos = strchr(value, '/'); + if (pos) + { + *pos = '\0'; + mark->mask = strtoul(pos+1, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark mask: %s", pos+1); + return FALSE; + } + } + else + { + mark->mask = 0xffffffff; + } + if (value == '\0') + { + mark->value = 0; + } + else + { + mark->value = strtoul(value, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark value: %s", value); + return FALSE; + } + } + return TRUE; +} + /* * parse a conn section */ @@ -672,40 +707,25 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg break; } case KW_MARK: - { - char *pos, *endptr; - - pos = strchr(kw->value, '/'); - if (pos) + if (!handle_mark(kw->value, &conn->mark_in)) { - *pos = '\0'; - conn->mark_mask = strtoul(pos+1, &endptr, 0); - if (*endptr != '\0') - { - plog("# invalid mark mask: %s", pos+1); - cfg->err++; - break; - } - } - else - { - conn->mark_mask = 0xffffffff; + cfg->err++; + break; } - if (*kw->value == '\0') + conn->mark_out = conn->mark_in; + break; + case KW_MARK_IN: + if (!handle_mark(kw->value, &conn->mark_in)) { - conn->mark_value = 0; + cfg->err++; } - else + break; + case KW_MARK_OUT: + if (!handle_mark(kw->value, &conn->mark_out)) { - conn->mark_value = strtoul(kw->value, &endptr, 0); - if (*endptr != '\0') - { - plog("# invalid mark value: %s", kw->value); - cfg->err++; - } + cfg->err++; } break; - } case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index ada155d7a..5e4356ea3 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,6 +95,13 @@ struct also { also_t *next; }; +typedef struct mark_t mark_t; + +struct mark_t{ + u_int32_t value; + u_int32_t mask; +}; + typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -122,8 +129,8 @@ struct starter_conn { unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; - u_int32_t mark_value; - u_int32_t mark_mask; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index ea702fdbc..25d2ce4b9 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -99,9 +99,11 @@ typedef enum { KW_ME_PEERID, KW_REQID, KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_MARK +#define KW_CONN_LAST KW_MARK_OUT /* ca section keywords */ KW_CA_NAME, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index a9d2af42a..fcdc60cff 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -90,6 +90,8 @@ mediated_by, KW_MEDIATED_BY me_peerid, KW_ME_PEERID reqid, KW_REQID mark, KW_MARK +mark_in, KW_MARK_IN +mark_out, KW_MARK_OUT cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 475f07c74..9c69ab9e5 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -270,8 +270,10 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); msg.add_conn.reqid = conn->reqid; - msg.add_conn.mark.value = conn->mark_value; - msg.add_conn.mark.mask = conn->mark_mask; + msg.add_conn.mark_in.value = conn->mark_in.value; + msg.add_conn.mark_in.mask = conn->mark_in.mask; + msg.add_conn.mark_out.value = conn->mark_out.value; + msg.add_conn.mark_out.mask = conn->mark_out.mask; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index e33737bbc..a36cc9038 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -259,7 +259,7 @@ struct stroke_msg_t { struct { u_int32_t value; u_int32_t mask; - } mark; + } mark_in, mark_out; stroke_end_t me, other; } add_conn; |