Re: [Openvpn-devel] [PATCH] add --mark option to set SO_MARK sockopt

Wed, 31 Aug 2011 18:27:41 +0000 

Maybe should extend the usage of parameter "socket-flags"?

On Wed, Aug 31, 2011 at 9:05 PM, Heiko Hund <heiko.h...@sophos.com> wrote:
> Signed-off-by: Heiko Hund <heiko.h...@sophos.com>
> ---
>  init.c    |    1 +
>  openvpn.8 |    6 ++++++
>  options.c |   14 ++++++++++++++
>  options.h |    3 +++
>  socket.c  |   13 +++++++++++++
>  socket.h  |    1 +
>  6 files changed, 38 insertions(+), 0 deletions(-)
>
> diff --git a/init.c b/init.c
> index 0530b10..e8c9aab 100644
> --- a/init.c
> +++ b/init.c
> @@ -2640,6 +2640,7 @@ do_init_socket_1 (struct context *c, const int mode)
>                           c->options.mtu_discover_type,
>                           c->options.rcvbuf,
>                           c->options.sndbuf,
> +                          c->options.mark,
>                           sockflags);
>  }
>
> diff --git a/openvpn.8 b/openvpn.8
> index dc76464..55a9b80 100644
> --- a/openvpn.8
> +++ b/openvpn.8
> @@ -1371,6 +1371,12 @@ Set the TCP/UDP socket receive buffer size.
>  Currently defaults to 65536 bytes.
>  .\"*********************************************************
>  .TP
> +.B \-\-mark value
> +Mark encrypted packets being sent with value. The mark value can be
> +matched in policy routing and packetfilter rules. This option is
> +only supported in Linux and does nothing on other operating systems.
> +.\"*********************************************************
> +.TP
>  .B \-\-socket-flags flags...
>  Apply the given flags to the OpenVPN transport socket.
>  Currently, only
> diff --git a/options.c b/options.c
> index a6230de..d410782 100644
> --- a/options.c
> +++ b/options.c
> @@ -280,6 +280,10 @@ static const char usage_message[] =
>   "                  or --fragment max value, whichever is lower.\n"
>   "--sndbuf size   : Set the TCP/UDP send buffer size.\n"
>   "--rcvbuf size   : Set the TCP/UDP receive buffer size.\n"
> +#ifdef TARGET_LINUX
> +  "--mark value    : Mark encrypted packets being sent with value. The mark 
> value\n"
> +  "                  can be matched in policy routing and packetfilter 
> rules.\n"
> +#endif
>   "--txqueuelen n  : Set the tun/tap TX queue length to n (Linux only).\n"
>   "--mlock         : Disable Paging -- ensures key material and tunnel\n"
>   "                  data will never be written to disk.\n"
> @@ -1473,6 +1477,9 @@ show_settings (const struct options *o)
>  #endif
>   SHOW_INT (rcvbuf);
>   SHOW_INT (sndbuf);
> +#ifdef TARGET_LINUX
> +  SHOW_INT (mark);
> +#endif
>   SHOW_INT (sockflags);
>
>   SHOW_BOOL (fast_io);
> @@ -4520,6 +4527,13 @@ add_option (struct options *options,
>       VERIFY_PERMISSION (OPT_P_SOCKBUF);
>       options->sndbuf = positive_atoi (p[1]);
>     }
> +  else if (streq (p[0], "mark") && p[1])
> +    {
> +#ifdef TARGET_LINUX
> +      VERIFY_PERMISSION (OPT_P_GENERAL);
> +      options->mark = atoi(p[1]);
> +#endif
> +    }
>   else if (streq (p[0], "socket-flags"))
>     {
>       int j;
> diff --git a/options.h b/options.h
> index e723b66..d792872 100644
> --- a/options.h
> +++ b/options.h
> @@ -342,6 +342,9 @@ struct options
>   int rcvbuf;
>   int sndbuf;
>
> +  /* mark value */
> +  int mark;
> +
>   /* socket flags */
>   unsigned int sockflags;
>
> diff --git a/socket.c b/socket.c
> index 76c760c..a2f9511 100644
> --- a/socket.c
> +++ b/socket.c
> @@ -779,6 +779,15 @@ socket_set_tcp_nodelay (int sd, int state)
>  #endif
>  }
>
> +static void
> +socket_set_mark (int sd, int mark)
> +{
> +#ifdef TARGET_LINUX
> +  if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, &mark, sizeof (mark)) != 
> 0)
> +    msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark);
> +#endif
> +}
> +
>  static bool
>  socket_set_flags (int sd, unsigned int sockflags)
>  {
> @@ -1599,6 +1608,7 @@ link_socket_init_phase1 (struct link_socket *sock,
>                         int mtu_discover_type,
>                         int rcvbuf,
>                         int sndbuf,
> +                        int mark,
>                         unsigned int sockflags)
>  {
>   ASSERT (sock);
> @@ -1716,6 +1726,9 @@ link_socket_init_phase1 (struct link_socket *sock,
>       /* set socket buffers based on --sndbuf and --rcvbuf options */
>       socket_set_buffers (sock->sd, &sock->socket_buffer_sizes);
>
> +      /* set socket to --mark packets with given value */
> +      socket_set_mark (sock->sd, mark);
> +
>       resolve_bind_local (sock);
>       resolve_remote (sock, 1, NULL, NULL);
>     }
> diff --git a/socket.h b/socket.h
> index b385fb2..a9a29c5 100644
> --- a/socket.h
> +++ b/socket.h
> @@ -324,6 +324,7 @@ link_socket_init_phase1 (struct link_socket *sock,
>                         int mtu_discover_type,
>                         int rcvbuf,
>                         int sndbuf,
> +                        int mark,
>                         unsigned int sockflags);
>
>  void link_socket_init_phase2 (struct link_socket *sock,
> --
> 1.7.4.1
>
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Reply via email to