[Openswan dev] preserving skb-nfmark in decrypted traffic

Tino Keitel tino.keitel at innominate.com
Wed Feb 14 04:53:41 EST 2007

On Tue, Feb 13, 2007 at 10:55:19 -0500, Michael Richardson wrote:


>   You would have a customer version of openswan which you'd have to maintain.
>   The newest iptables code has a "mask" option to the nfmark processing.
>   We posted patches for older kernels last winter for older kernels, 
> and similar ones were added during the iptables rewrite last August,
> which you'll see in 2.6.19.


thanks for your reply. From reading the related code, it's not really
clear to me what bits in skb->nfmark are subject to modifications by
OpenS/WAN. However, I need to know this, to mask those bits out using
the iptables mask option.

skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK)))) |

For me, ~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK)) expands to
~((0 >> 16) << 16), or (__u32)~0, which is 0xffffffff, so all 32 bits of nfmark
are preserved.

Then it will be or'ed with IPsecSAref2NFmark(IPsecSA2SAref(irs->ipsp)),
so that the higher 16 bits of nfmark are subject to modifications. Is
this correct?


More information about the Dev mailing list