[Swan] PATCH, was Re: Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

[Paul Wouters]

On Tue, 31 Oct 2017, Hao Chen wrote:

> [root at xcvms196 configs]# ip x p
> src 10.0.146.196/32 dst 10.0.161.34/32
>         dir out priority 2080 ptype main
>         mark -1/0xffffffff

Oops, it should never have -1 there. turned out we couldn't really
test for -1 because it is an unsigned int.

Please try the attached patch. It works for me on 3.22, but I think
it should work fine on 3.20 as well.

Paul
-------------- next part --------------
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 2c61def16..08f0cb6de 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -1215,6 +1215,9 @@ static bool preload_wm_cert_secrets(const struct whack_message *wm)
 static void mark_parse(char *wmmark, struct sa_mark *sa_mark) {
 	char *mask_start = strstr(wmmark,"/");
 
+	if (strneq(wmmark, "-1", 2)) {
+		sa_mark->unique = TRUE;
+	}
 	sa_mark->val = strtol(wmmark, &mask_start, 0);
 	if (mask_start != wmmark && *mask_start == '/')
 		sa_mark->mask = strtol(mask_start + 1, NULL, 0);
@@ -2040,8 +2043,7 @@ struct connection *instantiate(struct connection *c, const ip_address *him,
 	d->log_file = NULL;
 	d->log_file_err = FALSE;
 
-	if (c->sa_marks.in.val == UINT_MAX) {
-		/* -1 means unique marks */
+	if (c->sa_marks.in.unique) {
 		d->sa_marks.in.val = global_marks;
 		d->sa_marks.out.val = global_marks;
 		global_marks++;
diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
index 86e521820..8e880f757 100644
--- a/programs/pluto/connections.h
+++ b/programs/pluto/connections.h
@@ -211,6 +211,7 @@ struct spd_route {
 struct sa_mark {
 	uint32_t val;
 	uint32_t mask;
+	bool unique;
 };
 struct sa_marks {
 	struct sa_mark in;