diff options
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 26 | ||||
| -rw-r--r-- | src/swanctl/swanctl.opt | 34 |
2 files changed, 42 insertions, 18 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 0c355e3a0..e0e2955e2 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -495,6 +495,7 @@ static void log_child_data(child_data_t *data, char *name) { child_cfg_create_t *cfg = &data->cfg; +#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); }) DBG2(DBG_CFG, " child %s:", name); DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey); DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life); @@ -506,12 +507,12 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life); DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter); DBG2(DBG_CFG, " updown = %s", cfg->updown); - DBG2(DBG_CFG, " hostaccess = %u", cfg->options & OPT_HOSTACCESS); - DBG2(DBG_CFG, " ipcomp = %u", cfg->options & OPT_IPCOMP); + DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS)); + DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP)); DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode, - cfg->options & OPT_PROXY_MODE ? "_PROXY" : ""); + has_opt(OPT_PROXY_MODE) ? "_PROXY" : ""); DBG2(DBG_CFG, " policies = %u", data->policies); - DBG2(DBG_CFG, " policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES); + DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES)); if (data->replay_window != REPLAY_UNDEFINED) { DBG2(DBG_CFG, " replay_window = %u", data->replay_window); @@ -525,14 +526,15 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " interface = %s", cfg->interface); DBG2(DBG_CFG, " mark_in = %u/%u", cfg->mark_in.value, cfg->mark_in.mask); + DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); DBG2(DBG_CFG, " mark_out = %u/%u", cfg->mark_out.value, cfg->mark_out.mask); DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity); DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); - DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD); - DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96); + DBG2(DBG_CFG, " hw_offload = %u", has_opt(OPT_HW_OFFLOAD)); + DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96)); } /** @@ -882,7 +884,7 @@ CALLBACK(parse_opt_fwd_out, bool, } /** - * Parse OPT_FWD_OUT_POLICIES option + * Parse OPT_IPCOMP option */ CALLBACK(parse_opt_ipcomp, bool, child_cfg_option_t *out, chunk_t v) @@ -909,6 +911,15 @@ CALLBACK(parse_opt_sha256_96, bool, } /** + * Parse OPT_MARK_IN_SA option + */ +CALLBACK(parse_opt_mark_in, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_MARK_IN_SA, v); +} + +/** * Parse an action_t */ CALLBACK(parse_action, bool, @@ -1562,6 +1573,7 @@ CALLBACK(child_kv, bool, { "inactivity", parse_time, &child->cfg.inactivity }, { "reqid", parse_uint32, &child->cfg.reqid }, { "mark_in", parse_mark, &child->cfg.mark_in }, + { "mark_in_sa", parse_opt_mark_in, &child->cfg.options }, { "mark_out", parse_mark, &child->cfg.mark_out }, { "tfc_padding", parse_tfc, &child->cfg.tfc }, { "priority", parse_uint32, &child->cfg.priority }, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index d0a0d21dd..ac0c2dd58 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -867,25 +867,37 @@ connections.<conn>.children.<child>.interface = connections.<conn>.children.<child>.mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may require - marks on each packet to match an SA having that option set. This allows - Netfilter rules to select specific tunnels for incoming traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each + Netfilter mark and mask for input traffic. On Linux, Netfilter may require + marks on each packet to match an SA/policy having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific SAs/policies for incoming traffic. Note that inbound marks are + only set on policies, by default, unless *mark_in_sa* is enabled. The + special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond + that the value _%unique-dir_ assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections.<conn>.children.<child>.mark_in_sa = no + Whether to set *mark_in* on the inbound SA. + + Whether to set *mark_in* on the inbound SA. By default, the inbound mark is + only set on the inbound policy. The tuple destination address, protocol and + SPI is unique and the mark is not required to find the correct SA, allowing + to mark traffic after decryption instead (where more specific selectors may + be used) to match different policies. Marking packets before decryption is + still possible, even if no mark is set on the SA. + connections.<conn>.children.<child>.mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. - Netfilter mark and mask for output traffic. On Linux Netfilter may require - marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may require + marks on each packet to match a policy/SA having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific policies/SAs for outgoing traffic. The special value _%unique_ sets + a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_ + assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. |