6 files changed, 67 insertions, 32 deletions

diff --git a/src/starter/args.c b/src/starter/args.c
index 4fe9c9d27..ab6b60509 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -236,6 +236,8 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_conn_t, me_peerid), NULL                          },
 	{ ARG_UINT, offsetof(starter_conn_t, reqid), NULL                              },
 	{ ARG_MISC, 0, NULL  /* KW_MARK */                                             },
+	{ ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
+	{ ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
 
 	/* ca section keywords */
 	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 6ebdaf58b..399e17844 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end,
 	}
 }
 
+static bool handle_mark(char *value, mark_t *mark)	
+{
+	char *pos, *endptr;
+
+	pos = strchr(value, '/');
+	if (pos)
+	{
+		*pos = '\0';
+		mark->mask = strtoul(pos+1, &endptr, 0);
+		if (*endptr != '\0')
+		{
+			plog("# invalid mark mask: %s", pos+1);
+			return FALSE;
+		}
+	}
+	else
+	{
+		mark->mask = 0xffffffff;
+	}
+	if (value == '\0')
+	{
+		mark->value = 0;
+	}
+	else
+	{
+		mark->value = strtoul(value, &endptr, 0);
+		if (*endptr != '\0')
+		{
+			plog("# invalid mark value: %s", value);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 /*
  * parse a conn section
  */
@@ -672,40 +707,25 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 			break;
 		}
 		case KW_MARK:
-		{
-			char *pos, *endptr;
-
-			pos = strchr(kw->value, '/');
-			if (pos)
+			if (!handle_mark(kw->value, &conn->mark_in))
 			{
-				*pos = '\0';
-				conn->mark_mask = strtoul(pos+1, &endptr, 0);
-				if (*endptr != '\0')
-				{
-					plog("# invalid mark mask: %s", pos+1);
-					cfg->err++;
-					break;
-				}
-			}
-			else
-			{
-				conn->mark_mask = 0xffffffff;
+				cfg->err++;
+				break;
 			}
-			if (*kw->value == '\0')
+			conn->mark_out = conn->mark_in;
+			break;
+		case KW_MARK_IN:
+			if (!handle_mark(kw->value, &conn->mark_in))
 			{
-				conn->mark_value = 0;
+				cfg->err++;
 			}
-			else
+			break;
+		case KW_MARK_OUT:
+			if (!handle_mark(kw->value, &conn->mark_out))
 			{
-				conn->mark_value = strtoul(kw->value, &endptr, 0);
-				if (*endptr != '\0')
-				{
-					plog("# invalid mark value: %s", kw->value);
-					cfg->err++;
-				}
+				cfg->err++;
 			}
 			break;
-		}
 		case KW_KEYINGTRIES:
 			if (streq(kw->value, "%forever"))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index ada155d7a..5e4356ea3 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,6 +95,13 @@ struct also {
 		also_t          *next;
 };
 
+typedef struct mark_t mark_t;
+
+struct mark_t{
+		u_int32_t value;
+		u_int32_t mask;
+};
+
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -122,8 +129,8 @@ struct starter_conn {
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		u_int32_t       reqid;
-		u_int32_t		mark_value;
-		u_int32_t		mark_mask;
+		mark_t			mark_in;
+		mark_t			mark_out;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index ea702fdbc..25d2ce4b9 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -99,9 +99,11 @@ typedef enum {
 	KW_ME_PEERID,
 	KW_REQID,
 	KW_MARK,
+	KW_MARK_IN,
+	KW_MARK_OUT,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK
+#define KW_CONN_LAST    KW_MARK_OUT
 
    /* ca section keywords */
 	KW_CA_NAME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index a9d2af42a..fcdc60cff 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -90,6 +90,8 @@ mediated_by,       KW_MEDIATED_BY
 me_peerid,         KW_ME_PEERID
 reqid,             KW_REQID
 mark,              KW_MARK
+mark_in,           KW_MARK_IN
+mark_out,          KW_MARK_OUT
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 475f07c74..9c69ab9e5 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -270,8 +270,10 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
 	msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
 	msg.add_conn.reqid = conn->reqid;
-	msg.add_conn.mark.value = conn->mark_value;
-	msg.add_conn.mark.mask = conn->mark_mask;
+	msg.add_conn.mark_in.value = conn->mark_in.value;
+	msg.add_conn.mark_in.mask = conn->mark_in.mask;
+	msg.add_conn.mark_out.value = conn->mark_out.value;
+	msg.add_conn.mark_out.mask = conn->mark_out.mask;
 
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);