Christophe Gouault
2017-08-22 15:22:56 UTC
The following commit removed the assignment of the child_sa mark_in to
the inbound SA:
067fd2c69c25 ("child-sa: Do not install mark on inbound kernel SA")
However marking the inbound SA may be needed in some use cases.
Add a global strongswan.conf option to choose the behavior:
mark_inbound_sa = no|yes
If mark_inbound_sa is no, never mark the inbound kernel SA.
If mark_inbound_sa is yes, assign the child_sa mark_in to the inbound
kernel SA.
Signed-off-by: Christophe Gouault <***@6wind.com>
---
src/libcharon/sa/child_sa.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4133d9182e6b..ff0eda661cce 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -163,6 +163,11 @@ struct private_child_sa_t {
mark_t mark_out;
/**
+ * mark used for the inbound kernel SA (= mark_in or any)
+ */
+ mark_t mark_sa_in;
+
+ /**
* absolute time when rekeying is scheduled
*/
time_t rekey_time;
@@ -525,6 +530,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_query_sa_t query = {};
@@ -857,7 +863,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
.dst = dst,
.spi = spi,
.proto = proto_ike2ip(this->protocol),
- .mark = inbound ? (mark_t){} : this->mark_out,
+ .mark = inbound ? this->mark_sa_in : this->mark_out,
};
sa = (kernel_ipsec_add_sa_t){
.reqid = this->reqid,
@@ -1475,6 +1481,7 @@ METHOD(child_sa_t, update, status_t,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_update_sa_t sa = {
.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1660,6 +1667,7 @@ METHOD(child_sa_t, destroy, void,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_del_sa_t sa = {
.cpi = this->my_cpi,
@@ -1849,6 +1857,13 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
}
}
+ /* whether to mark inbound kernel SA */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.mark_inbound_sa", FALSE, lib->ns))
+ {
+ this->mark_sa_in = this->mark_in;
+ }
+
if (!this->reqid)
{
/* reuse old reqid if we are rekeying an existing CHILD_SA. While the
the inbound SA:
067fd2c69c25 ("child-sa: Do not install mark on inbound kernel SA")
However marking the inbound SA may be needed in some use cases.
Add a global strongswan.conf option to choose the behavior:
mark_inbound_sa = no|yes
If mark_inbound_sa is no, never mark the inbound kernel SA.
If mark_inbound_sa is yes, assign the child_sa mark_in to the inbound
kernel SA.
Signed-off-by: Christophe Gouault <***@6wind.com>
---
src/libcharon/sa/child_sa.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4133d9182e6b..ff0eda661cce 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -163,6 +163,11 @@ struct private_child_sa_t {
mark_t mark_out;
/**
+ * mark used for the inbound kernel SA (= mark_in or any)
+ */
+ mark_t mark_sa_in;
+
+ /**
* absolute time when rekeying is scheduled
*/
time_t rekey_time;
@@ -525,6 +530,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_query_sa_t query = {};
@@ -857,7 +863,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
.dst = dst,
.spi = spi,
.proto = proto_ike2ip(this->protocol),
- .mark = inbound ? (mark_t){} : this->mark_out,
+ .mark = inbound ? this->mark_sa_in : this->mark_out,
};
sa = (kernel_ipsec_add_sa_t){
.reqid = this->reqid,
@@ -1475,6 +1481,7 @@ METHOD(child_sa_t, update, status_t,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_update_sa_t sa = {
.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1660,6 +1667,7 @@ METHOD(child_sa_t, destroy, void,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_sa_in,
};
kernel_ipsec_del_sa_t sa = {
.cpi = this->my_cpi,
@@ -1849,6 +1857,13 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
}
}
+ /* whether to mark inbound kernel SA */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.mark_inbound_sa", FALSE, lib->ns))
+ {
+ this->mark_sa_in = this->mark_in;
+ }
+
if (!this->reqid)
{
/* reuse old reqid if we are rekeying an existing CHILD_SA. While the
--
2.1.4
2.1.4