[Openswan dev] preserving skb-nfmark in decrypted traffic
mcr at xelerance.com
Tue Feb 13 10:55:19 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tino" == Tino Keitel <tino.keitel at innominate.com> writes:
Tino> I noticed that with recent OpenS/WAN versions the nfmark value
Tino> of a decrypted packet doesn't match the nfmark value of the
Tino> encrypted packet anymore. In my tests, a value of 0x12 became
Yes, the packet is marked with the "saref" of the SA, so that you can
filter it as to which SA was used to deliver the packet properly.
Tino> skb-> nfmark is only written in 2 places in ipsec_rcv.c, but never
Tino> skb-> read.
Tino> What would be the side effects of removing the modifications
Tino> to nfmark in ipsec_rcv_cleanup() and ipsec_rcv_decap_cont()?
You would have a customer version of openswan which you'd have to maintain.
The newest iptables code has a "mask" option to the nfmark processing.
We posted patches for older kernels last winter for older kernels,
and similar ones were added during the iptables rewrite last August,
which you'll see in 2.6.19.
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev