New upstream version 5.6.0

2 files changed, 17 insertions, 2 deletions

diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index a52a1eb51..68c3935b9 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -66,8 +66,21 @@ bool mark_from_string(const char *value, mark_t *mark)
 	}
 	if (strcasepfx(value, "%unique"))
 	{
-		mark->value = MARK_UNIQUE;
 		endptr = (char*)value + strlen("%unique");
+		if (strcasepfx(endptr, "-dir"))
+		{
+			mark->value = MARK_UNIQUE_DIR;
+			endptr += strlen("-dir");
+		}
+		else if (!*endptr || *endptr == '/')
+		{
+			mark->value = MARK_UNIQUE;
+		}
+		else
+		{
+			DBG1(DBG_APP, "invalid mark value: %s", value);
+			return FALSE;
+		}
 	}
 	else
 	{
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index c93d95562..1db78ba6f 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -178,9 +178,11 @@ struct mark_t {
 };
 
 /**
- * Special mark value that uses a unique mark for each CHILD_SA
+ * Special mark value that uses a unique mark for each CHILD_SA (and direction)
  */
 #define MARK_UNIQUE (0xFFFFFFFF)
+#define MARK_UNIQUE_DIR (0xFFFFFFFE)
+#define MARK_IS_UNIQUE(m) ((m) == MARK_UNIQUE || (m) == MARK_UNIQUE_DIR)
 
 /**
  * Try to parse a mark_t from the given string of the form mark[/mask].