1 files changed, 17 insertions, 2 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4133d9182..91da4d3e6 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -254,7 +254,7 @@ struct private_child_sa_t {
 };
 
 /**
- * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
+ * Convert an IKEv2 specific protocol identifier to the IP protocol identifier
  */
 static inline uint8_t proto_ike2ip(protocol_id_t protocol)
 {
@@ -269,6 +269,18 @@ static inline uint8_t proto_ike2ip(protocol_id_t protocol)
 	}
 }
 
+/**
+ * Returns the mark to use on the inbound SA
+ */
+static inline mark_t mark_in_sa(private_child_sa_t *this)
+{
+	if (this->config->has_option(this->config, OPT_MARK_IN_SA))
+	{
+		return this->mark_in;
+	}
+	return (mark_t){};
+}
+
 METHOD(child_sa_t, get_name, char*,
 	   private_child_sa_t *this)
 {
@@ -525,6 +537,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 				.dst = this->my_addr,
 				.spi = this->my_spi,
 				.proto = proto_ike2ip(this->protocol),
+				.mark = mark_in_sa(this),
 			};
 			kernel_ipsec_query_sa_t query = {};
 
@@ -857,7 +870,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 		.dst = dst,
 		.spi = spi,
 		.proto = proto_ike2ip(this->protocol),
-		.mark = inbound ? (mark_t){} : this->mark_out,
+		.mark = inbound ? mark_in_sa(this) : this->mark_out,
 	};
 	sa = (kernel_ipsec_add_sa_t){
 		.reqid = this->reqid,
@@ -1475,6 +1488,7 @@ METHOD(child_sa_t, update, status_t,
 				.dst = this->my_addr,
 				.spi = this->my_spi,
 				.proto = proto_ike2ip(this->protocol),
+				.mark = mark_in_sa(this),
 			};
 			kernel_ipsec_update_sa_t sa = {
 				.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1660,6 +1674,7 @@ METHOD(child_sa_t, destroy, void,
 			.dst = this->my_addr,
 			.spi = this->my_spi,
 			.proto = proto_ike2ip(this->protocol),
+			.mark = mark_in_sa(this),
 		};
 		kernel_ipsec_del_sa_t sa = {
 			.cpi = this->my_cpi,