From: "Steffen Heil (Mailinglisten)" <lists@steffen-heil.de>
To: Jan Engelhardt <jengelh@inai.de>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: AW: How to mark packet by reqid?
Date: Wed, 16 May 2012 06:34:56 +0000 [thread overview]
Message-ID: <EDD810CD654E254F90731B425DE8AA6F106B55B1@dc2008r2.sh-solutions.intern> (raw)
In-Reply-To: <alpine.LNX.2.01.1205160116330.17751@frira.zrqbmnf.qr>
[-- Attachment #1: Type: text/plain, Size: 6530 bytes --]
Hi
First, thanks for the answer, but I am stuck with those:
> xt_esp generates debug output if you have "printk" sysctl set to show it.
How would I do so? I never used sysctl for anything but enabling ip
forwarding....
Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
sate` and `setkey -D`.
I noticed,
- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
- `setkey -D` contains "spi=3243547107(0xc15499e3)".
- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
Is this to be expected?
Third, I tried you command:
# iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: Gives: unknown option "--spi"
# iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: policy match: neither --dir in nor --dir out specified
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
out -j MARK --set-mark 1
iptables: Invalid argument. Run `dmesg' for more information.
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
That worked, however I still don't get the packets through.
Because of the different spi information mentioned above, I also tried:
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
Same result: Accepted but not matched.
I can still get it to work removing the conditions, so everything else is
fine:
# iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
I am still stuck and very thankful for every hint...
Regards,
Steffen
# setkey -D
10.5.0.1 10.5.0.2
esp mode=tunnel spi=3243547107(0xc15499e3) reqid=1(0x00000001)
E: aes-cbc 49e40f42 d0df7e1e 7202ad2e c45110bd
A: hmac-sha1 afa4eefd b81a952d 68f9cf88 3287715b 3d4ae624
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 896(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 21168(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 252 hard: 0 soft: 0
sadb_seq=1 pid=11397 refcnt=0
10.5.0.2 10.5.0.1
esp mode=tunnel spi=3456023313(0xcdfebb11) reqid=1(0x00000001)
E: aes-cbc d5bcb28b 0378d65a 97ac2757 1afa6ff8
A: hmac-sha1 1eeb8605 db1f4cc9 c3a4dc22 1a3306d2 b9928a9c
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 1014(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 2100(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 25 hard: 0 soft: 0
sadb_seq=0 pid=11397 refcnt=0
# ip -s xfrm policy
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir fwd action allow index 1530 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir in action allow index 1520 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
dir out action allow index 1513 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:24:57
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
# ip -s xfrm state
src 10.5.0.1 dst 10.5.0.2
proto esp spi 0xc4b51d18(3300203800) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x597784c0a0905a2346a797daaa79145e17b1a2ca
(160 bits) 96
enc cbc(aes) 0xd44a6ec5f13010267a2d145f9564b75e (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 884(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
49476(bytes), 589(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:16:41
stats:
replay-window 0 replay 0 failed 0
src 10.5.0.2 dst 10.5.0.1
proto esp spi 0xc2f9a112(3271139602) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x98af746b619e7d723696b2f67fc46a127fde097a
(160 bits) 96
enc cbc(aes) 0xef5b3d9a4a0cb8c9cc9787dbba0c7c9c (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 907(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
stats:
replay-window 0 replay 0 failed 0
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
next prev parent reply other threads:[~2012-05-16 6:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-15 22:44 How to mark packet by reqid? Steffen Heil (Mailinglisten)
2012-05-15 23:23 ` Jan Engelhardt
2012-05-16 6:34 ` Steffen Heil (Mailinglisten) [this message]
2012-05-16 6:51 ` AW: " Jan Engelhardt
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
2012-05-18 9:35 ` Steffen Heil (Mailinglisten)
2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt
2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EDD810CD654E254F90731B425DE8AA6F106B55B1@dc2008r2.sh-solutions.intern \
--to=lists@steffen-heil.de \
--cc=jengelh@inai.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.