On Mon, 30 Oct 2017, Craig Marker wrote:
It's not supported by our code. I'm not sure if XFRM has a way of
communicating this IPsec SA property to the kernel. If it does,
then we can surely add support for it.
What about the decap-dscp ip xfrm flag?
I just pushed a patch to support decap-dscp. This will be released with
version 3.23 (and will appear in a pre-release when we do 3.23rc2)
Or you can apply the patch yourself:
https://github.com/libreswan/libreswan/commit/0addb31fb509d2946aac83fe654f9b2d61108768
I have not tested this other then confirming the flag shows up in the
output of "ip xfrm state".
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
