[Openswan dev] preserving skb-nfmark in decrypted traffic
Michael Richardson
mcr at xelerance.com
Tue Feb 13 10:55:19 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Tino" == Tino Keitel <tino.keitel at innominate.com> writes:
Tino> I noticed that with recent OpenS/WAN versions the nfmark value
Tino> of a decrypted packet doesn't match the nfmark value of the
Tino> encrypted packet anymore. In my tests, a value of 0x12 became
Tino> 0x70012.
Yes, the packet is marked with the "saref" of the SA, so that you can
filter it as to which SA was used to deliver the packet properly.
Tino> skb-> nfmark is only written in 2 places in ipsec_rcv.c, but never
Tino> skb-> read.
Tino> What would be the side effects of removing the modifications
Tino> to nfmark in ipsec_rcv_cleanup() and ipsec_rcv_decap_cont()?
You would have a customer version of openswan which you'd have to maintain.
The newest iptables code has a "mask" option to the nfmark processing.
We posted patches for older kernels last winter for older kernels,
and similar ones were added during the iptables rewrite last August,
which you'll see in 2.6.19.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRdHfYICLcPvd0N1lAQI+Awf9HhOpL39okkj53i3pCoCnwT0KvwUKcxHD
pfyWYSeWx1sn1iN4LBfuBG/agSyfi0Y/zBfXDlWRdDUTRbAb9mdb1AtpvG2B79ZF
81MsqItufUaPDDygQwNRUelAOzDijmtM5bGqXiSxLRgcZFjH9Krgv69CRx5FN2tu
xUblV21pfxk7R5hVmVRB7qACwDAWCCBO/97hmNs5ewKkhLJg8XQwyS+ATb4cQeGn
dLFPzIy4U8DE1x0p8iIZctmIg074sbe8Oo8c035bBF/hlkiubrtI93tteihUK72U
Q3ENNyfSZbPhHBlmYBEoPxbukEL4AoOerfHztSElofdGKyA8KDTPjw==
=IJ1C
-----END PGP SIGNATURE-----
More information about the Dev
mailing list