vici: Make setting mark on inbound SA configurable
This commit is contained in:
parent
ea43f8ffe5
commit
2d244f178f
|
@ -495,6 +495,7 @@ static void log_child_data(child_data_t *data, char *name)
|
|||
{
|
||||
child_cfg_create_t *cfg = &data->cfg;
|
||||
|
||||
#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); })
|
||||
DBG2(DBG_CFG, " child %s:", name);
|
||||
DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey);
|
||||
DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life);
|
||||
|
@ -506,12 +507,12 @@ static void log_child_data(child_data_t *data, char *name)
|
|||
DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life);
|
||||
DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter);
|
||||
DBG2(DBG_CFG, " updown = %s", cfg->updown);
|
||||
DBG2(DBG_CFG, " hostaccess = %u", cfg->options & OPT_HOSTACCESS);
|
||||
DBG2(DBG_CFG, " ipcomp = %u", cfg->options & OPT_IPCOMP);
|
||||
DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS));
|
||||
DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP));
|
||||
DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode,
|
||||
cfg->options & OPT_PROXY_MODE ? "_PROXY" : "");
|
||||
has_opt(OPT_PROXY_MODE) ? "_PROXY" : "");
|
||||
DBG2(DBG_CFG, " policies = %u", data->policies);
|
||||
DBG2(DBG_CFG, " policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES);
|
||||
DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES));
|
||||
if (data->replay_window != REPLAY_UNDEFINED)
|
||||
{
|
||||
DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
|
||||
|
@ -525,14 +526,15 @@ static void log_child_data(child_data_t *data, char *name)
|
|||
DBG2(DBG_CFG, " interface = %s", cfg->interface);
|
||||
DBG2(DBG_CFG, " mark_in = %u/%u",
|
||||
cfg->mark_in.value, cfg->mark_in.mask);
|
||||
DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
|
||||
DBG2(DBG_CFG, " mark_out = %u/%u",
|
||||
cfg->mark_out.value, cfg->mark_out.mask);
|
||||
DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
|
||||
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
|
||||
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
|
||||
DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts);
|
||||
DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD);
|
||||
DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96);
|
||||
DBG2(DBG_CFG, " hw_offload = %u", has_opt(OPT_HW_OFFLOAD));
|
||||
DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -882,7 +884,7 @@ CALLBACK(parse_opt_fwd_out, bool,
|
|||
}
|
||||
|
||||
/**
|
||||
* Parse OPT_FWD_OUT_POLICIES option
|
||||
* Parse OPT_IPCOMP option
|
||||
*/
|
||||
CALLBACK(parse_opt_ipcomp, bool,
|
||||
child_cfg_option_t *out, chunk_t v)
|
||||
|
@ -908,6 +910,15 @@ CALLBACK(parse_opt_sha256_96, bool,
|
|||
return parse_option(out, OPT_SHA256_96, v);
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse OPT_MARK_IN_SA option
|
||||
*/
|
||||
CALLBACK(parse_opt_mark_in, bool,
|
||||
child_cfg_option_t *out, chunk_t v)
|
||||
{
|
||||
return parse_option(out, OPT_MARK_IN_SA, v);
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse an action_t
|
||||
*/
|
||||
|
@ -1562,6 +1573,7 @@ CALLBACK(child_kv, bool,
|
|||
{ "inactivity", parse_time, &child->cfg.inactivity },
|
||||
{ "reqid", parse_uint32, &child->cfg.reqid },
|
||||
{ "mark_in", parse_mark, &child->cfg.mark_in },
|
||||
{ "mark_in_sa", parse_opt_mark_in, &child->cfg.options },
|
||||
{ "mark_out", parse_mark, &child->cfg.mark_out },
|
||||
{ "tfc_padding", parse_tfc, &child->cfg.tfc },
|
||||
{ "priority", parse_uint32, &child->cfg.priority },
|
||||
|
|
|
@ -867,25 +867,37 @@ connections.<conn>.children.<child>.interface =
|
|||
connections.<conn>.children.<child>.mark_in = 0/0x00000000
|
||||
Netfilter mark and mask for input traffic.
|
||||
|
||||
Netfilter mark and mask for input traffic. On Linux Netfilter may require
|
||||
marks on each packet to match an SA having that option set. This allows
|
||||
Netfilter rules to select specific tunnels for incoming traffic. The
|
||||
special value _%unique_ sets a unique mark on each CHILD_SA instance,
|
||||
beyond that the value _%unique-dir_ assigns a different unique mark for each
|
||||
Netfilter mark and mask for input traffic. On Linux, Netfilter may require
|
||||
marks on each packet to match an SA/policy having that option set. This
|
||||
allows installing duplicate policies and enables Netfilter rules to select
|
||||
specific SAs/policies for incoming traffic. Note that inbound marks are
|
||||
only set on policies, by default, unless *mark_in_sa* is enabled. The
|
||||
special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond
|
||||
that the value _%unique-dir_ assigns a different unique mark for each
|
||||
CHILD_SA direction (in/out).
|
||||
|
||||
An additional mask may be appended to the mark, separated by _/_. The
|
||||
default mask if omitted is 0xffffffff.
|
||||
|
||||
connections.<conn>.children.<child>.mark_in_sa = no
|
||||
Whether to set *mark_in* on the inbound SA.
|
||||
|
||||
Whether to set *mark_in* on the inbound SA. By default, the inbound mark is
|
||||
only set on the inbound policy. The tuple destination address, protocol and
|
||||
SPI is unique and the mark is not required to find the correct SA, allowing
|
||||
to mark traffic after decryption instead (where more specific selectors may
|
||||
be used) to match different policies. Marking packets before decryption is
|
||||
still possible, even if no mark is set on the SA.
|
||||
|
||||
connections.<conn>.children.<child>.mark_out = 0/0x00000000
|
||||
Netfilter mark and mask for output traffic.
|
||||
|
||||
Netfilter mark and mask for output traffic. On Linux Netfilter may require
|
||||
marks on each packet to match a policy having that option set. This allows
|
||||
Netfilter rules to select specific tunnels for outgoing traffic. The
|
||||
special value _%unique_ sets a unique mark on each CHILD_SA instance,
|
||||
beyond that the value _%unique-dir_ assigns a different unique mark for each
|
||||
CHILD_SA direction (in/out).
|
||||
Netfilter mark and mask for output traffic. On Linux, Netfilter may require
|
||||
marks on each packet to match a policy/SA having that option set. This
|
||||
allows installing duplicate policies and enables Netfilter rules to select
|
||||
specific policies/SAs for outgoing traffic. The special value _%unique_ sets
|
||||
a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_
|
||||
assigns a different unique mark for each CHILD_SA direction (in/out).
|
||||
|
||||
An additional mask may be appended to the mark, separated by _/_. The
|
||||
default mask if omitted is 0xffffffff.
|
||||
|
|
Loading…
Reference in New Issue