[strongSwan-dev] [PATCH mark-inbound-sa v2 1/2] fixup! child-cfg: Optionally set mark on inbound SA

Christophe Gouault christophe.gouault at 6wind.com
Thu Aug 24 08:54:22 CEST 2017 

---
 src/libcharon/sa/child_sa.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 7ed96910d7e7..fdd25e474f85 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -163,6 +163,12 @@ struct private_child_sa_t {
 	mark_t mark_out;
 
 	/**
+	 * mark used for the inbound kernel SA
+	 * (= mark_in if OPT_MARK_IN_SA, 0/0 else)
+	 */
+	mark_t mark_sa_in;
+
+	/**
 	 * absolute time when rekeying is scheduled
 	 */
 	time_t rekey_time;
@@ -754,7 +760,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 	uint32_t tfc = 0;
 	host_t *src, *dst;
 	status_t status;
-	mark_t mark = (mark_t){};
+	mark_t mark;
 	bool update = FALSE;
 
 	/* BEET requires the bound address from the traffic selectors */
@@ -778,10 +784,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 		this->my_cpi = cpi;
 		dst_ts = my_ts;
 		src_ts = other_ts;
-		if (this->config->has_option(this->config, OPT_MARK_IN_SA))
-		{
-			mark = this->mark_in;
-		}
+		mark = this->mark_sa_in;
 	}
 	else
 	{
@@ -1481,6 +1484,7 @@ METHOD(child_sa_t, update, status_t,
 				.dst = this->my_addr,
 				.spi = this->my_spi,
 				.proto = proto_ike2ip(this->protocol),
+				.mark = this->mark_sa_in,
 			};
 			kernel_ipsec_update_sa_t sa = {
 				.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1666,6 +1670,7 @@ METHOD(child_sa_t, destroy, void,
 			.dst = this->my_addr,
 			.spi = this->my_spi,
 			.proto = proto_ike2ip(this->protocol),
+			.mark = this->mark_sa_in,
 		};
 		kernel_ipsec_del_sa_t sa = {
 			.cpi = this->my_cpi,
@@ -1855,6 +1860,11 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		}
 	}
 
+	if (config->has_option(this->config, OPT_MARK_IN_SA))
+	{
+		this->mark_sa_in = this->mark_in;
+	}
+
 	if (!this->reqid)
 	{
 		/* reuse old reqid if we are rekeying an existing CHILD_SA. While the
-- 
2.1.4

More information about the Dev mailing list