[Openswan dev] [Openswan Users] Local esp packets are dropped on ipsec device when marking packets in OUTPUT chain

Wolfgang Nothdurft wolfgang at linogate.de
Tue Oct 5 04:17:22 EDT 2010

Am 05.10.2010 03:10, schrieb Paul Wouters:
> On Mon, 4 Oct 2010, Wolfgang Nothdurft wrote:
>>>> I have reported the bug including a patch at
>>>> https://gsoc.xelerance.com/issues/1095
>>> I looked at the patch, but it seemed wrong to blindly pass all ESP/AH
>>> packets. I'll take a closer look at the issue.
>> Is there any news on this.
>> Without this there is no way to use policy based routing with fwmarks
>> for ipsec.
>> We use this patch the last half year in several enviroments without
>> problems.
>> Also our internal test framework shows no problem at all.
> I think it is pretty safe to use, as this comes in after a check for
> whether we
> are the source address. I am just wondering about corner cases where
> someone
> would send us something with our source address.
> As a sidenote in protostack=mast mode, we also use SArefs which are
> based on nfmarks. and setting the high bit on the nfmark to claim it as
> an SAref. So incidentally, if your mark uses the highest bit, I believe
> we will let the packet go (but maybe you do have to use protostack=mast
> for that)
> In _updown.mast we set iptables marks in a route table (50) for tracking.
> Why are you marking packets that still have to go through an ipsecX/mastX
> device? Could't you use a "-o eth+" argument to your iptables MARK line?
> Paul

Hi Paul,

thanks for the answer.

We take the SARef bit into account and use only the low bits for routing 
The problem is not that the packets that go through ipsec were marked in 
the output chain, the problem is that the esp packets itself that go 
through the output chain were marked and rerouted.
The -o eth+ doesn't help in this case, because I need to mark the esp 
packet that already routed on an outgoing ethernet device to reroute it 
on another device.

For example I want to route ipsec not over the default gateway eth1.

I set a mark like this

iptables -t mangle -A OUTPUT -p esp -j MARK --or-mark 0x1
iptables -t mangle -A OUTPUT -p udp --dport 500 -j MARK --or-mark 0x1

and route it with ip rules

ip rule add fwmark 0x1 lookup table other_gateway
ip route add default dev eth2 table other_gateway

the esp packet that was marked in the output chain was than rerouted 
from netfilter and lands on the ipsec device because of the ipsec host 
route to the other host and than were dropped as described in the ticket.

Without having the possibility to mark esp packets in the output chain I 
see no way to use a routing configuration based on the protocol ipsec.


More information about the Dev mailing list