New upstream version 5.7.0

2 files changed, 64 insertions, 2 deletions

diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 16dbf8d41..6f19cc751 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -43,6 +43,13 @@ ENUM(hw_offload_names, HW_OFFLOAD_NO, HW_OFFLOAD_AUTO,
 	"auto",
 );
 
+ENUM(dscp_copy_names, DSCP_COPY_OUT_ONLY, DSCP_COPY_NO,
+	"out",
+	"in",
+	"yes",
+	"no",
+);
+
 /*
  * See header
  */
@@ -62,7 +69,7 @@ bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b)
 /*
  * See header
  */
-bool mark_from_string(const char *value, mark_t *mark)
+bool mark_from_string(const char *value, mark_op_t ops, mark_t *mark)
 {
 	char *endptr;
 
@@ -72,6 +79,11 @@ bool mark_from_string(const char *value, mark_t *mark)
 	}
 	if (strcasepfx(value, "%unique"))
 	{
+		if (!(ops & MARK_OP_UNIQUE))
+		{
+			DBG1(DBG_APP, "unexpected use of %%unique mark", value);
+			return FALSE;
+		}
 		endptr = (char*)value + strlen("%unique");
 		if (strcasepfx(endptr, "-dir"))
 		{
@@ -88,6 +100,24 @@ bool mark_from_string(const char *value, mark_t *mark)
 			return FALSE;
 		}
 	}
+	else if (strcasepfx(value, "%same"))
+	{
+		if (!(ops & MARK_OP_SAME))
+		{
+			DBG1(DBG_APP, "unexpected use of %%same mark", value);
+			return FALSE;
+		}
+		endptr = (char*)value + strlen("%same");
+		if (!*endptr || *endptr == '/')
+		{
+			mark->value = MARK_SAME;
+		}
+		else
+		{
+			DBG1(DBG_APP, "invalid mark value: %s", value);
+			return FALSE;
+		}
+	}
 	else
 	{
 		mark->value = strtoul(value, &endptr, 0);
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index 4e6e2d9dc..7b7bd3743 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -27,6 +27,8 @@ typedef enum policy_type_t policy_type_t;
 typedef enum policy_priority_t policy_priority_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef enum hw_offload_t hw_offload_t;
+typedef enum dscp_copy_t dscp_copy_t;
+typedef enum mark_op_t mark_op_t;
 typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
 typedef struct mark_t mark_t;
@@ -132,6 +134,22 @@ enum hw_offload_t {
 extern enum_name_t *hw_offload_names;
 
 /**
+ * DSCP header field copy behavior (the default is not to copy from outer
+ * to inner header)
+ */
+enum dscp_copy_t {
+	DSCP_COPY_OUT_ONLY,
+	DSCP_COPY_IN_ONLY,
+	DSCP_COPY_YES,
+	DSCP_COPY_NO,
+};
+
+/**
+ * enum strings for dscp_copy_t.
+ */
+extern enum_name_t *dscp_copy_names;
+
+/**
  * This struct contains details about IPsec SA(s) tied to a policy.
  */
 struct ipsec_sa_cfg_t {
@@ -197,15 +215,29 @@ struct mark_t {
  */
 #define MARK_UNIQUE (0xFFFFFFFF)
 #define MARK_UNIQUE_DIR (0xFFFFFFFE)
+#define MARK_SAME (0xFFFFFFFF)
 #define MARK_IS_UNIQUE(m) ((m) == MARK_UNIQUE || (m) == MARK_UNIQUE_DIR)
 
 /**
+ * Special mark operations to accept when parsing marks.
+ */
+enum mark_op_t {
+	/** none of the following */
+	MARK_OP_NONE = 0,
+	/** %unique and %unique-dir */
+	MARK_OP_UNIQUE = (1<<0),
+	/** %same */
+	MARK_OP_SAME = (1<<1),
+};
+
+/**
  * Try to parse a mark_t from the given string of the form mark[/mask].
  *
  * @param value		string to parse
+ * @param ops		operations to accept
  * @param mark		mark to fill
  * @return			TRUE if parsing was successful
  */
-bool mark_from_string(const char *value, mark_t *mark);
+bool mark_from_string(const char *value, mark_op_t ops, mark_t *mark);
 
 #endif /** IPSEC_TYPES_H_ @}*/