15 files changed, 318 insertions, 30 deletions

diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index ea7130bbb..c746573f8 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -331,7 +331,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -357,6 +356,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -377,8 +378,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -433,8 +432,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -463,8 +460,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c
index ab386b5d8..909ca4366 100644
--- a/src/swanctl/commands/counters.c
+++ b/src/swanctl/commands/counters.c
@@ -48,7 +48,7 @@ static int counters(vici_conn_t *conn)
 	vici_res_t *res;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	char *arg, *name = NULL;
-	int ret;
+	int ret = 0;
 	bool all = FALSE, reset = FALSE;
 
 	while (TRUE)
@@ -131,7 +131,7 @@ static int counters(vici_conn_t *conn)
 		}
 	}
 	vici_free_res(res);
-	return 0;
+	return ret;
 }
 
 /**
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
index 8e452a6f6..bf8d2cd79 100644
--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
@@ -131,7 +131,7 @@ static void __attribute__ ((constructor))reg()
 		{"--child <name> [--ike <name>] [--timeout <s>] [--raw|--pretty]"},
 		{
 			{"help",		'h', 0, "show usage information"},
-			{"child",		'c', 1, "initate a CHILD_SA configuration"},
+			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
 			{"ike",			'i', 1, "name of the connection to which the child belongs"},
 			{"timeout",		't', 1, "timeout in seconds before detaching"},
 			{"raw",			'r', 0, "dump raw response message"},
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index f692e9966..5f7dd8189 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -199,6 +199,10 @@ CALLBACK(conn_sn, int,
 			{
 				printf("    groups: %s\n", auth->get(auth, "groups"));
 			}
+			if (auth->get(auth, "cert_policy"))
+			{
+				printf("    cert policy: %s\n", auth->get(auth, "cert_policy"));
+			}
 			if (auth->get(auth, "certs"))
 			{
 				printf("    certs: %s\n", auth->get(auth, "certs"));
@@ -234,7 +238,7 @@ CALLBACK(conns, int,
 	void *null, vici_res_t *res, char *name)
 {
 	int ret;
-	char *version, *reauth_time, *rekey_time, *dpd_delay;
+	char *version, *reauth_time, *rekey_time, *dpd_delay, *ppk_id, *ppk_req;
 	hashtable_t *ike;
 
 	version     = vici_find_str(res, "", "%s.version", name);
@@ -278,6 +282,14 @@ CALLBACK(conns, int,
 	}
 	printf("\n");
 
+	ppk_id = vici_find_str(res, NULL, "%s.ppk_id", name);
+	ppk_req = vici_find_str(res, NULL, "%s.ppk_required", name);
+	if (ppk_id || ppk_req)
+	{
+		printf("  ppk: %s%s%srequired\n", ppk_id ?: "", ppk_id ? ", " : "",
+			   !ppk_req || !streq(ppk_req, "yes") ? "not " : "");
+	}
+
 	ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike);
 	free_hashtable(ike);
 	return ret;
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 28602fc65..232f03cc2 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -266,6 +266,10 @@ CALLBACK(ike_sa, int,
 			}
 			printf("/%s", ike->get(ike, "prf-alg"));
 			printf("/%s", ike->get(ike, "dh-group"));
+			if (streq(ike->get(ike, "ppk"), "yes"))
+			{
+				printf("/PPK");
+			}
 			printf("\n");
 		}
 
diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c
index 0010ce140..26f043a6a 100644
--- a/src/swanctl/commands/load_all.c
+++ b/src/swanctl/commands/load_all.c
@@ -31,8 +31,8 @@ static int load_all(vici_conn_t *conn)
 	bool clear = FALSE, noprompt = FALSE;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
+	char *arg, *file = SWANCTL_CONF;
 	int ret = 0;
-	char *arg;
 
 	while (TRUE)
 	{
@@ -52,6 +52,9 @@ static int load_all(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'f':
+				file = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -60,10 +63,10 @@ static int load_all(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(SWANCTL_CONF);
+	cfg = settings_create(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
@@ -104,6 +107,7 @@ static void __attribute__ ((constructor))reg()
 			{"noprompt",	'n', 0, "do not prompt for passwords"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"file",		'f', 1, "custom path to swanctl.conf"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index d82c0f98e..61682a386 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg;
+	char *arg, *file = SWANCTL_CONF;
 	int ret;
 
 	while (TRUE)
@@ -325,6 +325,9 @@ static int load_authorities(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'f':
+				file = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -333,10 +336,10 @@ static int load_authorities(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(SWANCTL_CONF);
+	cfg = settings_create(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
@@ -360,6 +363,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"file",		'f', 1, "custom path to swanctl.conf"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 0518ef54f..dad03945d 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -425,7 +425,7 @@ static int load_conns(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg;
+	char *arg, *file = SWANCTL_CONF;
 	int ret;
 
 	while (TRUE)
@@ -440,6 +440,9 @@ static int load_conns(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'f':
+				file = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -448,10 +451,10 @@ static int load_conns(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(SWANCTL_CONF);
+	cfg = settings_create(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
@@ -474,6 +477,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"file",		'f', 1, "custom path to swanctl.conf"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 15ef2f151..a9e352f7e 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -665,6 +665,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 		"xauth",
 		"ntlm",
 		"ike",
+		"ppk",
 		"private",
 		"rsa",
 		"ecdsa",
@@ -688,7 +689,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 		return FALSE;
 	}
 	if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") &&
-		!streq(type, "ike"))
+		!streq(type, "ike") && !streq(type, "ppk"))
 	{	/* skip non-shared secrets */
 		return TRUE;
 	}
@@ -945,7 +946,7 @@ static int load_creds(vici_conn_t *conn)
 	bool clear = FALSE, noprompt = FALSE;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg;
+	char *arg, *file = SWANCTL_CONF;
 	int ret;
 
 	while (TRUE)
@@ -966,6 +967,9 @@ static int load_creds(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'f':
+				file = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -974,10 +978,10 @@ static int load_creds(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(SWANCTL_CONF);
+	cfg = settings_create(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
@@ -1002,6 +1006,7 @@ static void __attribute__ ((constructor))reg()
 			{"noprompt",	'n', 0, "do not prompt for passwords"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"file",		'f', 1, "custom path to swanctl.conf"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index feb8d3a52..ec9508efb 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn)
 {
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	settings_t *cfg;
-	char *arg;
+	char *arg, *file = SWANCTL_CONF;
 	int ret;
 
 	while (TRUE)
@@ -266,6 +266,9 @@ static int load_pools(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'f':
+				file = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -274,10 +277,10 @@ static int load_pools(vici_conn_t *conn)
 		break;
 	}
 
-	cfg = settings_create(SWANCTL_CONF);
+	cfg = settings_create(file);
 	if (!cfg)
 	{
-		fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+		fprintf(stderr, "parsing '%s' failed\n", file);
 		return EINVAL;
 	}
 
@@ -300,6 +303,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"file",		'f', 1, "custom path to swanctl.conf"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c
index 47a313657..f44ecaa3c 100644
--- a/src/swanctl/commands/rekey.c
+++ b/src/swanctl/commands/rekey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@ static int rekey(vici_conn_t *conn)
 	command_format_options_t format = COMMAND_FORMAT_NONE;
 	char *arg, *child = NULL, *ike = NULL;
 	int ret = 0, child_id = 0, ike_id = 0;
+	bool reauth = FALSE;
 
 	while (TRUE)
 	{
@@ -49,6 +50,9 @@ static int rekey(vici_conn_t *conn)
 			case 'I':
 				ike_id = atoi(arg);
 				continue;
+			case 'a':
+				reauth = TRUE;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -74,6 +78,10 @@ static int rekey(vici_conn_t *conn)
 	{
 		vici_add_key_valuef(req, "ike-id", "%d", ike_id);
 	}
+	if (reauth)
+	{
+		vici_add_key_valuef(req, "reauth", "yes");
+	}
 	res = vici_submit(req, conn);
 	if (!res)
 	{
@@ -111,13 +119,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		rekey, 'R', "rekey", "rekey an SA",
 		{"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
-		 "[--raw|--pretty]"},
+		 "[--reauth] [--raw|--pretty]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"child",		'c', 1, "rekey by CHILD_SA name"},
 			{"ike",			'i', 1, "rekey by IKE_SA name"},
 			{"child-id",	'C', 1, "rekey by CHILD_SA unique identifier"},
 			{"ike-id",		'I', 1, "rekey by IKE_SA unique identifier"},
+			{"reauth",		'a', 0, "reauthenticate instead of rekey an IKEv2 SA"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 		}
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 9b87a963a..c50f20dc6 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -56,6 +56,13 @@
         # Send certificate payloads (always, never or ifasked).
         # send_cert = ifasked
 
+        # String identifying the Postquantum Preshared Key (PPK) to be used.
+        # ppk_id =
+
+        # Whether a Postquantum Preshared Key (PPK) is required for this
+        # connection.
+        # ppk_required = no
+
         # Number of retransmission sequences to perform during initial connect.
         # keyingtries = 1
 
@@ -311,6 +318,14 @@
                 # Netfilter mark and mask for output traffic.
                 # mark_out = 0/0x00000000
 
+                # Netfilter mark applied to packets after the inbound IPsec SA
+                # processed them.
+                # set_mark_in = 0/0x00000000
+
+                # Netfilter mark applied to packets after the outbound IPsec SA
+                # processed them.
+                # set_mark_out = 0/0x00000000
+
                 # Traffic Flow Confidentiality padding.
                 # tfc_padding = 0
 
@@ -321,6 +336,18 @@
                 # IPsec implementation.
                 # hw_offload = no
 
+                # Whether to copy the DF bit to the outer IPv4 header in tunnel
+                # mode.
+                # copy_df = yes
+
+                # Whether to copy the ECN header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_ecn = yes
+
+                # Whether to copy the DSCP header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_dscp = out
+
                 # Action to perform after loading the configuration (none, trap,
                 # start).
                 # start_action = none
@@ -379,6 +406,17 @@
 
     # }
 
+    # Postquantum Preshared Key (PPK) section for a specific secret.
+    # ppk<suffix> {
+
+        # Value of the PPK.
+        # secret =
+
+        # PPK identity the PPK belongs to.
+        # id<suffix> =
+
+    # }
+
     # Private key decryption passphrase for a key in the private folder.
     # private<suffix> {
 
diff --git a/src/swanctl/swanctl.conf.5.head.in b/src/swanctl/swanctl.conf.5.head.in
index 5742d2593..a14225df0 100644
--- a/src/swanctl/swanctl.conf.5.head.in
+++ b/src/swanctl/swanctl.conf.5.head.in
@@ -6,8 +6,8 @@ swanctl.conf is the configuration file used by the
 .BR swanctl (8)
 tool to load configurations and credentials into the strongSwan IKE daemon.
 
-For a description of the basic file syntax, including how to split the
-configuration in multiple files by including other files, refer to
+For a description of the basic file syntax, including how to reference sections
+or split the configuration in multiple files by including other files, refer to
 .BR strongswan.conf (5).
 
 .SH TIME FORMATS
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 1f7e3a2cc..1f8900959 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -217,6 +217,14 @@ causes certificate payloads to be sent unconditionally
 whenever certificate authentication is used.
 
 .TP
+.BR connections.<conn>.ppk_id " []"
+String identifying the Postquantum Preshared Key (PPK) to be used.
+
+.TP
+.BR connections.<conn>.ppk_required " [no]"
+Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
+.TP
 .BR connections.<conn>.keyingtries " [1]"
 Number of retransmission sequences to perform during initial connect. Instead of
 giving up initiation after the first retransmission sequence with the default
@@ -1127,6 +1135,52 @@ The default
 mask if omitted is 0xffffffff.
 
 .TP
+.BR connections.<conn>.children.<child>.set_mark_in " [0/0x00000000]"
+Netfilter mark applied to packets after the inbound IPsec SA processed them.
+This way it's not necessary to mark packets via Netfilter before decryption or
+right afterwards to match policies or process them differently (e.g. via policy
+routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_in" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM input requires Linux 4.19 or higher.
+
+.TP
+.BR connections.<conn>.children.<child>.set_mark_out " [0/0x00000000]"
+Netfilter mark applied to packets after the outbound IPsec SA processed them.
+This allows processing ESP packets differently than the original traffic (e.g.
+via policy routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_out" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+requires at least Linux 4.19.
+
+.TP
 .BR connections.<conn>.children.<child>.tfc_padding " [0]"
 Pads ESP packets with additional data to have a consistent ESP packet size for
 improved Traffic Flow Confidentiality. The padding defines the minimum size of
@@ -1155,6 +1209,44 @@ enables offloading, if it's supported, but the installation does not fail
 otherwise.
 
 .TP
+.BR connections.<conn>.children.<child>.copy_df " [yes]"
+Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+effectively disables Path MTU discovery (PMTUD).  Controlling this behavior is
+not supported by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_ecn " [yes]"
+Whether to copy the ECN (Explicit Congestion Notification) header field to/from
+the outer IP header in tunnel mode. Controlling this behavior is not supported
+by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_dscp " [out]"
+Whether to copy the DSCP (Differentiated Services Field Codepoint) header field
+to/from the outer IP header in tunnel mode. The value
+.RI "" "out" ""
+only copies the
+field from the inner to the outer header, the value
+.RI "" "in" ""
+does the opposite and
+only copies the field from the outer to the inner header when decapsulating, the
+value
+.RI "" "yes" ""
+copies the field in both directions, and the value
+.RI "" "no" ""
+disables
+copying the field altogether.  Setting this to
+.RI "" "yes" ""
+or
+.RI "" "in" ""
+could allow an
+attacker to adversely affect other traffic at the receiver, which is why the
+default is
+.RI "" "out" "."
+Controlling this behavior is not supported by all kernel
+interfaces.
+
+.TP
 .BR connections.<conn>.children.<child>.start_action " [none]"
 Action to perform after loading the configuration. The default of
 .RI "" "none" ""
@@ -1297,6 +1389,31 @@ prefix, if a secret is shared between multiple
 peers.
 
 .TP
+.B secrets.ppk<suffix>
+.br
+Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+defined      in a unique section having the
+.RI "" "ppk" ""
+prefix.
+
+.TP
+.BR secrets.ppk<suffix>.secret " []"
+Value of the PPK. It may either be an ASCII string,     a hex encoded string if
+it has a
+.RI "" "0x" ""
+prefix or a Base64 encoded string if it has a
+.RI "" "0s" ""
+prefix in its
+value. Should have at least 256 bits of entropy for 128\-bit security.
+
+.TP
+.BR secrets.ppk<suffix>.id<suffix> " []"
+PPK identity the PPK belongs to. Multiple unique identities may be specified,
+each having an
+.RI "" "id" ""
+prefix, if a secret is shared between multiple peers.
+
+.TP
 .B secrets.private<suffix>
 .br
 Private key decryption passphrase for a key in the
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 120e5812e..1c1e85e3e 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -188,6 +188,12 @@ connections.<conn>.send_cert = ifasked
 	certificate payloads altogether, _always_ causes certificate payloads to be
 	sent unconditionally whenever certificate authentication is used.
 
+connections.<conn>.ppk_id =
+	String identifying the Postquantum Preshared Key (PPK) to be used.
+
+connections.<conn>.ppk_required = no
+	Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
 connections.<conn>.keyingtries = 1
 	Number of retransmission sequences to perform during initial connect.
 
@@ -910,6 +916,37 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
 	An additional mask may be appended to the mark, separated by _/_. The
 	default mask if omitted is 0xffffffff.
 
+connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
+	Netfilter mark applied to packets after the inbound IPsec SA processed them.
+
+	Netfilter mark applied to packets after the inbound IPsec SA processed them.
+	This way it's not necessary to mark packets via Netfilter before decryption
+	or right afterwards to match policies or process them differently (e.g. via
+	policy routing).
+
+	An additional mask may be appended to the mark, separated by _/_. The
+	default mask if omitted is 0xffffffff. The special value _%same_ uses
+	the value (but not the mask) from **mark_in** as mark value, which can be
+	fixed, _%unique_ or _%unique-dir_.
+
+	Setting marks in XFRM input requires Linux 4.19 or higher.
+
+connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
+	Netfilter mark applied to packets after the outbound IPsec SA processed
+	them.
+
+	Netfilter mark applied to packets after the outbound IPsec SA processed
+	them. This allows processing ESP packets differently than the original
+	traffic (e.g. via policy routing).
+
+	An additional mask may be appended to the mark, separated by _/_. The
+	default mask if omitted is 0xffffffff. The special value _%same_ uses
+	the value (but not the mask) from **mark_out** as mark value, which can be
+	fixed, _%unique_ or _%unique-dir_.
+
+	Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+	requires at least Linux 4.19.
+
 connections.<conn>.children.<child>.tfc_padding = 0
 	Traffic Flow Confidentiality padding.
 
@@ -937,6 +974,35 @@ connections.<conn>.children.<child>.hw_offload = no
 	enables offloading, if it's supported, but the installation does not fail
 	otherwise.
 
+connections.<conn>.children.<child>.copy_df = yes
+	Whether to copy the DF bit to the outer IPv4 header in tunnel mode.
+
+	Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+	effectively disables Path MTU discovery (PMTUD).  Controlling this behavior
+	is not supported by all kernel interfaces.
+
+connections.<conn>.children.<child>.copy_ecn = yes
+	Whether to copy the ECN header field to/from the outer IP header in tunnel
+	mode.
+
+	Whether to copy the ECN (Explicit Congestion Notification) header field
+	to/from the outer IP header in tunnel mode. Controlling this behavior is not
+	supported by all kernel interfaces.
+
+connections.<conn>.children.<child>.copy_dscp = out
+	Whether to copy the DSCP header field to/from the outer IP header in tunnel
+	mode.
+
+	Whether to copy the DSCP (Differentiated Services Field Codepoint) header
+	field to/from the outer IP header in tunnel mode. The value _out_ only
+	copies the field from the inner to the outer header, the value _in_ does the
+	opposite and only copies the field from the outer to the inner header when
+	decapsulating, the value _yes_ copies the field in both directions, and the
+	value _no_ disables copying the field altogether.  Setting this to _yes_ or
+	_in_ could allow an attacker to adversely affect other traffic at the
+	receiver, which is why the default is _out_. Controlling this behavior is
+	not supported by all kernel interfaces.
+
 connections.<conn>.children.<child>.start_action = none
 	Action to perform after loading the configuration (_none_, _trap_, _start_).
 
@@ -1047,6 +1113,26 @@ secrets.ike<suffix>.id<suffix> =
 	may be specified, each having an _id_ prefix, if a secret is shared between
 	multiple peers.
 
+secrets.ppk<suffix> { # }
+	Postquantum Preshared Key (PPK) section for a specific secret.
+
+	Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+	defined	in a unique section having the _ppk_ prefix.
+
+secrets.ppk<suffix>.secret =
+	Value of the PPK.
+
+	Value of the PPK. It may either be an ASCII string,	a hex encoded string if
+	it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in
+	its value. Should have at least 256 bits of entropy for 128-bit security.
+
+secrets.ppk<suffix>.id<suffix> =
+	PPK identity the PPK belongs to.
+
+	PPK identity the PPK belongs to. Multiple unique identities
+	may be specified, each having an _id_ prefix, if a secret is shared between
+	multiple peers.
+
 secrets.private<suffix> { # }
 	Private key decryption passphrase for a key in the _private_ folder.