[Openswan dev] preserving skb-nfmark in decrypted traffic
Tino Keitel
tino.keitel at innominate.com
Wed Feb 14 04:53:41 EST 2007
On Tue, Feb 13, 2007 at 10:55:19 -0500, Michael Richardson wrote:
[...]
> You would have a customer version of openswan which you'd have to maintain.
> The newest iptables code has a "mask" option to the nfmark processing.
> We posted patches for older kernels last winter for older kernels,
> and similar ones were added during the iptables rewrite last August,
> which you'll see in 2.6.19.
Hi,
thanks for your reply. From reading the related code, it's not really
clear to me what bits in skb->nfmark are subject to modifications by
OpenS/WAN. However, I need to know this, to mask those bits out using
the iptables mask option.
skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK)))) |
IPsecSAref2NFmark(IPsecSA2SAref(irs->ipsp));
For me, ~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK)) expands to
~((0 >> 16) << 16), or (__u32)~0, which is 0xffffffff, so all 32 bits of nfmark
are preserved.
Then it will be or'ed with IPsecSAref2NFmark(IPsecSA2SAref(irs->ipsp)),
so that the higher 16 bits of nfmark are subject to modifications. Is
this correct?
Regards,
Tino
More information about the Dev
mailing list