From 33d3ffde25d5354ec36c26b764ab36179ef0fb34 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 29 Aug 2016 16:39:18 +0200
Subject: kernel-netlink: Pass zero mark to kernel if mask is set

The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark.  So to match only unmarked packets we
have to be able to set 0/0xffffffff.
---
 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 6b06c269b..f3846ec07 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1245,7 +1245,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
  */
 static void format_mark(char *buf, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
 	}
@@ -1256,7 +1256,7 @@ static void format_mark(char *buf, int buflen, mark_t mark)
  */
 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
 {
-	if (mark.value)
+	if (mark.value | mark.mask)
 	{
 		struct xfrm_mark *xmrk;
 
-- 
cgit v1.2.3