[Swan] hidetos with NETKEY & VTI

Paul Wouters paul at nohats.ca
Fri Dec 1 23:35:16 UTC 2017


On Fri, 1 Dec 2017, Paul Wouters wrote:

>>> It's not supported by our code. I'm not sure if XFRM has a way of
>>> communicating this IPsec SA property to the kernel. If it does,
>>> then we can surely add support for it.
>> 
>> What about the decap-dscp ip xfrm flag?
>
> I just pushed a patch to support decap-dscp. This will be released with
> version 3.23 (and will appear in a pre-release when we do 3.23rc2)
>
> Or you can apply the patch yourself:
>
> https://github.com/libreswan/libreswan/commit/0addb31fb509d2946aac83fe654f9b2d61108768
>
> I have not tested this other then confirming the flag shows up in the
> output of "ip xfrm state".

Note that this only sets the bits on the inbound decrypted traffic. For
the outbound packets, you are supposed to use netfilter yourself:

https://marc.info/?l=linux-netdev&m=109533859408626&w=2

Paul


More information about the Swan mailing list