[Openswan dev] preserving skb-nfmark in decrypted traffic

Tino Keitel tino.keitel at innominate.com
Tue Feb 13 09:17:03 EST 2007

Hi folks,

I noticed that with recent OpenS/WAN versions the nfmark value of a
decrypted packet doesn't match the nfmark value of the encrypted packet
anymore. In my tests, a value of 0x12 became 0x70012.

skb->nfmark is only written in 2 places in ipsec_rcv.c, but never read.
What would be the side effects of removing the modifications to nfmark
in ipsec_rcv_cleanup() and ipsec_rcv_decap_cont()?


More information about the Dev mailing list