On Fri, 1 Dec 2017, Paul Wouters wrote:
It's not supported by our code. I'm not sure if XFRM has a way of
communicating this IPsec SA property to the kernel. If it does,
then we can surely add support for it.
What about the decap-dscp ip xfrm flag?
I just pushed a patch to support decap-dscp. This will be released with
version 3.23 (and will appear in a pre-release when we do 3.23rc2)
Or you can apply the patch yourself:
https://github.com/libreswan/libreswan/commit/0addb31fb509d2946aac83fe654f9b2d61108768
I have not tested this other then confirming the flag shows up in the
output of "ip xfrm state".
Note that this only sets the bits on the inbound decrypted traffic. For
the outbound packets, you are supposed to use netfilter yourself:
https://marc.info/?l=linux-netdev&m=109533859408626&w=2
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
