[Openswan dev] [Openswan Users] Local esp packets are dropped on ipsec device when marking packets in OUTPUT chain

Paul Wouters paul at xelerance.com
Mon Oct 4 21:10:52 EDT 2010

On Mon, 4 Oct 2010, Wolfgang Nothdurft wrote:

>>> I have reported the bug including a patch at
>>> https://gsoc.xelerance.com/issues/1095
>> I looked at the patch, but it seemed wrong to blindly pass all ESP/AH
>> packets. I'll take a closer look at the issue.
> Is there any news on this.
> Without this there is no way to use policy based routing with fwmarks for 
> ipsec.
> We use this patch the last half year in several enviroments without problems.
> Also our internal test framework shows no problem at all.

I think it is pretty safe to use, as this comes in after a check for whether we
are the source address. I am just wondering about corner cases where someone
would send us something with our source address.

As a sidenote in protostack=mast mode, we also use SArefs which are
based on nfmarks.  and setting the high bit on the nfmark to claim it as
an SAref.  So incidentally, if your mark uses the highest bit, I believe
we will let the packet go (but maybe you do have to use protostack=mast
for that)

In _updown.mast we set iptables marks in a route table (50) for tracking.

Why are you marking packets that still have to go through an ipsecX/mastX
device?  Could't you use a "-o eth+" argument to your iptables MARK line?


More information about the Dev mailing list