diff options
| -rw-r--r-- | man/strongswan.conf.5.in | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/socket_default/socket_default_socket.c | 18 |
2 files changed, 21 insertions, 0 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 2af6e7394..783f16c2c 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -661,6 +661,9 @@ is appended to this prefix to make it unique. The result has to be a valid interface name according to the rules defined by resolvconf. Also, it should have a high priority according to the order defined in interface-order(5). .TP +.BR charon.plugins.socket-default.fwmark +Firewall mark to set on outbound packets. +.TP .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. .TP diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index 3aa09bef8..ea976dfe9 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -611,6 +611,24 @@ static int open_socket(private_socket_default_socket_t *this, return -1; } } +#ifdef SO_MARK + { /* set optional MARK on socket (requires CAP_NET_ADMIN) */ + char *fwmark; + mark_t mark; + + fwmark = lib->settings->get_str(lib->settings, + "%s.plugins.socket-default.fwmark", NULL, charon->name); + if (fwmark && mark_from_string(fwmark, &mark)) + { + if (setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value, + sizeof(mark.value)) < 0) + { + DBG1(DBG_NET, "unable to set SO_MARK on socket: %s", + strerror(errno)); + } + } + } +#endif if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, skt, family)) |