* How to mark packet by reqid? @ 2012-05-15 22:44 Steffen Heil (Mailinglisten) 2012-05-15 23:23 ` Jan Engelhardt 0 siblings, 1 reply; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-15 22:44 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 4174 bytes --] Hi I have the following problem. I have SAs that use firewall marks. So only packets that have that mark get encoded and decoded. I managed to set the mark for packets that shall be encoded but I cannot get the other side working. I have incoming packets that need to be decrypted and I need to set the correct mark for those. I CAN actually set the mark using the following command: iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1 BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs and I need to set different marks. I tried to use select by reqid or by spi, but as soon as I try that, the rule does not match anything any more. Can someone help me to get that iptables command right? Best regards, Steffen root@vpn-b:~# setkey -D 10.5.0.2 10.5.0.1 esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001) E: aes-cbc c5eb72ab 906d5717 67e405f5 cfe73f7a A: hmac-sha1 6935290e e51f0965 06577876 0d6237d6 45a0083d seq=0x00000000 replay=32 flags=0x00000000 state=mature created: May 15 22:23:06 2012 current: May 15 22:24:43 2012 diff: 97(s) hard: 1200(s) soft: 907(s) last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s) current: 7140(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 85 hard: 0 soft: 0 sadb_seq=1 pid=8282 refcnt=0 10.5.0.1 10.5.0.2 esp mode=tunnel spi=3470192236(0xced6ee6c) reqid=1(0x00000001) E: aes-cbc e6fad1a5 ff31325b b4856748 c8997ea1 A: hmac-sha1 e401cc9d 59668c9f 866d7e86 b5a38d2c 1dcb2f2d seq=0x00000000 replay=32 flags=0x00000000 state=mature created: May 15 22:23:06 2012 current: May 15 22:24:43 2012 diff: 97(s) hard: 1200(s) soft: 888(s) last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s) current: 7140(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 85 hard: 0 soft: 0 sadb_seq=0 pid=8282 refcnt=0 root@vpn-b:~# ip -s xfrm policy src 10.1.1.0/24 dst 10.2.1.0/24 uid 0 dir fwd action allow index 1218 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-15 22:08:11 use 2012-05-15 22:18:27 mark 1/0xffffffff tmpl src 10.5.0.1 dst 10.5.0.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.1.1.0/24 dst 10.2.1.0/24 uid 0 dir in action allow index 1208 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-15 22:08:11 use - mark 1/0xffffffff tmpl src 10.5.0.1 dst 10.5.0.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.2.1.0/24 dst 10.1.1.0/24 uid 0 dir out action allow index 1201 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-15 22:08:11 use 2012-05-15 22:18:27 mark 1/0xffffffff tmpl src 10.5.0.2 dst 10.5.0.1 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: How to mark packet by reqid? 2012-05-15 22:44 How to mark packet by reqid? Steffen Heil (Mailinglisten) @ 2012-05-15 23:23 ` Jan Engelhardt 2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten) 0 siblings, 1 reply; 9+ messages in thread From: Jan Engelhardt @ 2012-05-15 23:23 UTC (permalink / raw) To: Steffen Heil (Mailinglisten); +Cc: netfilter On Wednesday 2012-05-16 00:44, Steffen Heil (Mailinglisten) wrote: > >I have incoming packets that need to be decrypted and I need to set the >correct mark for those. >I CAN actually set the mark using the following command: > > iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1 > >BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs >and I need to set different marks. >I tried to use select by reqid or by spi, but as soon as I try that, the >rule does not match anything any more. xt_esp generates debug output if you have "printk" sysctl set to show it. >Can someone help me to get that iptables command right? -t mangle -A PREROUTING -p esp --spi 0xc480f134 -j MARK --set-mark 1 >10.5.0.2 10.5.0.1 > esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001) > E: aes-cbc c5eb72ab 906d5717 67e405f5 cfe73f7a > A: hmac-sha1 6935290e e51f0965 06577876 0d6237d6 45a0083d > seq=0x00000000 replay=32 flags=0x00000000 state=mature > created: May 15 22:23:06 2012 current: May 15 22:24:43 2012 > diff: 97(s) hard: 1200(s) soft: 907(s) > last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s) > current: 7140(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 85 hard: 0 soft: 0 > sadb_seq=1 pid=8282 refcnt=0 ^ permalink raw reply [flat|nested] 9+ messages in thread
* AW: How to mark packet by reqid? 2012-05-15 23:23 ` Jan Engelhardt @ 2012-05-16 6:34 ` Steffen Heil (Mailinglisten) 2012-05-16 6:51 ` Jan Engelhardt 0 siblings, 1 reply; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-16 6:34 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 6530 bytes --] Hi First, thanks for the answer, but I am stuck with those: > xt_esp generates debug output if you have "printk" sysctl set to show it. How would I do so? I never used sysctl for anything but enabling ip forwarding.... Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm sate` and `setkey -D`. I noticed, - `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)". - `setkey -D` contains "spi=3243547107(0xc15499e3)". - `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)". Is this to be expected? Third, I tried you command: # iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK --set-mark 1 iptables v1.4.12: Gives: unknown option "--spi" # iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK --set-mark 1 iptables v1.4.12: policy match: neither --dir in nor --dir out specified # iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir out -j MARK --set-mark 1 iptables: Invalid argument. Run `dmesg' for more information. # iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir in -j MARK --set-mark 1 That worked, however I still don't get the packets through. Because of the different spi information mentioned above, I also tried: # iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir in -j MARK --set-mark 1 Same result: Accepted but not matched. I can still get it to work removing the conditions, so everything else is fine: # iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1 I am still stuck and very thankful for every hint... Regards, Steffen # setkey -D 10.5.0.1 10.5.0.2 esp mode=tunnel spi=3243547107(0xc15499e3) reqid=1(0x00000001) E: aes-cbc 49e40f42 d0df7e1e 7202ad2e c45110bd A: hmac-sha1 afa4eefd b81a952d 68f9cf88 3287715b 3d4ae624 seq=0x00000000 replay=32 flags=0x00000000 state=mature created: May 16 06:02:36 2012 current: May 16 06:16:15 2012 diff: 819(s) hard: 1200(s) soft: 896(s) last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s) current: 21168(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 252 hard: 0 soft: 0 sadb_seq=1 pid=11397 refcnt=0 10.5.0.2 10.5.0.1 esp mode=tunnel spi=3456023313(0xcdfebb11) reqid=1(0x00000001) E: aes-cbc d5bcb28b 0378d65a 97ac2757 1afa6ff8 A: hmac-sha1 1eeb8605 db1f4cc9 c3a4dc22 1a3306d2 b9928a9c seq=0x00000000 replay=32 flags=0x00000000 state=mature created: May 16 06:02:36 2012 current: May 16 06:16:15 2012 diff: 819(s) hard: 1200(s) soft: 1014(s) last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s) current: 2100(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 25 hard: 0 soft: 0 sadb_seq=0 pid=11397 refcnt=0 # ip -s xfrm policy src 10.2.1.0/24 dst 10.1.1.0/24 uid 0 dir fwd action allow index 1530 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-16 06:16:40 use - mark 1/0xffffffff tmpl src 10.5.0.2 dst 10.5.0.1 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.2.1.0/24 dst 10.1.1.0/24 uid 0 dir in action allow index 1520 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-16 06:16:40 use - mark 1/0xffffffff tmpl src 10.5.0.2 dst 10.5.0.1 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.1.1.0/24 dst 10.2.1.0/24 uid 0 dir out action allow index 1513 priority 1859 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-16 06:16:40 use 2012-05-16 06:24:57 mark 1/0xffffffff tmpl src 10.5.0.1 dst 10.5.0.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff # ip -s xfrm state src 10.5.0.1 dst 10.5.0.2 proto esp spi 0xc4b51d18(3300203800) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) mark 1/0xffffffff auth-trunc hmac(sha1) 0x597784c0a0905a2346a797daaa79145e17b1a2ca (160 bits) 96 enc cbc(aes) 0xd44a6ec5f13010267a2d145f9564b75e (128 bits) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 884(sec), hard 1200(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 49476(bytes), 589(packets) add 2012-05-16 06:16:40 use 2012-05-16 06:16:41 stats: replay-window 0 replay 0 failed 0 src 10.5.0.2 dst 10.5.0.1 proto esp spi 0xc2f9a112(3271139602) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) mark 1/0xffffffff auth-trunc hmac(sha1) 0x98af746b619e7d723696b2f67fc46a127fde097a (160 bits) 96 enc cbc(aes) 0xef5b3d9a4a0cb8c9cc9787dbba0c7c9c (128 bits) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 907(sec), hard 1200(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-05-16 06:16:40 use - stats: replay-window 0 replay 0 failed 0 [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: AW: How to mark packet by reqid? 2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten) @ 2012-05-16 6:51 ` Jan Engelhardt 2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten) 2012-05-19 11:33 ` Steffen Heil (Mailinglisten) 0 siblings, 2 replies; 9+ messages in thread From: Jan Engelhardt @ 2012-05-16 6:51 UTC (permalink / raw) To: Steffen Heil (Mailinglisten); +Cc: netfilter On Wednesday 2012-05-16 08:34, Steffen Heil (Mailinglisten) wrote: > >> xt_esp generates debug output if you have "printk" sysctl set to show it. > >How would I do so? I never used sysctl for anything but enabling ip >forwarding.... sysctl -w kernel.printk="7 7 7 7" is probably one way. >Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm >sate` and `setkey -D`. >I noticed, >- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)". >- `setkey -D` contains "spi=3243547107(0xc15499e3)". >- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)". > >Is this to be expected? It is not unusual to see `ip -s x p` showing spi 0. About setkey I don't know, since openswan and I don't use that. Better trust `ip x s`. Also note that there may be a handful of SPIs live between peers, not just a single one. >Third, I tried you command: > ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK >--set-mark 1 >iptables v1.4.12: Gives: unknown option "--spi" --espspi per manpage. ># iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK >--set-mark 1 >iptables v1.4.12: policy match: neither --dir in nor --dir out specified Your command does not match your output. ># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir >out -j MARK --set-mark 1 >iptables: Invalid argument. Run `dmesg' for more information. See dmesg. (Well, it told you that.) ># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir >in -j MARK --set-mark 1 > >That worked, however I still don't get the packets through. Why don't you try --espspi 0xc4b51d18 for a change, since that is (one value) from those obtained from ip x s. ^ permalink raw reply [flat|nested] 9+ messages in thread
* AW: AW: How to mark packet by reqid? 2012-05-16 6:51 ` Jan Engelhardt @ 2012-05-17 20:15 ` Steffen Heil (Mailinglisten) 2012-05-17 20:39 ` Steffen Heil (Mailinglisten) 2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt 2012-05-19 11:33 ` Steffen Heil (Mailinglisten) 1 sibling, 2 replies; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-17 20:15 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1921 bytes --] Hi again, Lots of experiments later, but still no luck.... > >> xt_esp generates debug output if you have "printk" sysctl set to show it. > >How would I do so? I never used sysctl for anything but enabling ip > >forwarding.... > sysctl -w kernel.printk="7 7 7 7" I did. And I tried # echo "7 7 7 7" > /proc/sys/kernel/printk Nothing appears on `dmesg`. Also I noticed that xt_esp was not loaded automatically. I had to load it using `insmod`. Still no output. But note, that I could not use -m esp --espspi either, see below. > ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK > >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi" > --espspi per manpage. -m esp --espspi XXXXX Or -m polixy --spi XXXXX --dir in The later does not match, but I cannot even get the former one to be accepted: # iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. # iptables -t mangle -D PREROUTING -p esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. # iptables -t mangle -D PREROUTING -m esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. Is there a way to find out what's wrong here? > Why don't you try --espspi 0xc4b51d18 for a change, since that is (one value) > from those obtained from ip x s. --espspi does not work at all - iptables complains, see above. Also, I tried -m polixy --spi XXXX -dir in for all spi codes I could find anywhere - it never matched.. BTW: If matching the SPI is a problem, I would prefer matching reqid anyway. But for now it would suffice to match any of those. I am really stuck here. Any hints are still welcome. Also I would be glad, if I could chat with someone using msn messenger or mirc or anything. I could also provide ssh root access to these machines... Regards, Steffen [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid? 2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten) @ 2012-05-17 20:39 ` Steffen Heil (Mailinglisten) 2012-05-18 9:35 ` Steffen Heil (Mailinglisten) 2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt 1 sibling, 1 reply; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-17 20:39 UTC (permalink / raw) To: Steffen Heil (Mailinglisten), Jan Engelhardt; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1732 bytes --] BTW, if that helps, here is some information about my systems. (Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully updated.) root@vpn-a:~# iptables --version iptables v1.4.12 root@vpn-a:~# uname -a Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux root@vpn-a:~# lsmod Module Size Used by xt_policy 12670 1 xt_esp 12529 0 iptable_mangle 12734 1 xt_mark 12563 2 ip_tables 27473 1 iptable_mangle x_tables 29846 5 xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables authenc 17582 2 xfrm6_mode_tunnel 12639 2 xfrm4_mode_tunnel 12639 4 xfrm_user 31825 2 xfrm4_tunnel 12779 0 tunnel4 13213 1 xfrm4_tunnel ipcomp 12673 0 xfrm_ipcomp 13556 1 ipcomp esp4 17061 2 ah4 12885 0 deflate 12617 0 zlib_deflate 27139 1 deflate ctr 13201 0 twofish_generic 16635 0 twofish_x86_64_3way 25287 0 twofish_x86_64 12867 1 twofish_x86_64_3way twofish_common 20919 3 twofish_generic,twofish_x86_64_3way,twofish_x86_64 camellia 29348 0 serpent 29125 0 blowfish_generic 12530 0 blowfish_x86_64 21466 0 blowfish_common 16699 2 blowfish_generic,blowfish_x86_64 cast5 25112 0 des_generic 21415 0 xcbc 12815 0 rmd160 16744 0 sha512_generic 12796 0 crypto_null 12918 0 af_key 36389 0 xfs 836508 1 [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid? 2012-05-17 20:39 ` Steffen Heil (Mailinglisten) @ 2012-05-18 9:35 ` Steffen Heil (Mailinglisten) 0 siblings, 0 replies; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-18 9:35 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 2760 bytes --] Another fact: I added a logging rule and I got logged: May 18 09:27:00 vpn-a kernel: [49503.963182] mangle_PREROUTING: IN=eth0 OUT= MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=56019 PROTO=ESP SPI=0xc89f8130 My mange / POSTROUTING rules: -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark 0x1/0xffffffff -p esp -m policy --dir in --pol ipsec --spi 0xc89f8130 -j MARK --set-xmark 0x1/0xffffffff -p esp -m policy --dir in --pol ipsec --reqid 1 -j MARK --set-xmark 0x1/0xffffffff -j LOG --log-prefix "mangle_PREROUTING: " Yet the packet did not get marked... I start to believe this is a bug. Regards, Steffen > -----Original Message----- > From: Steffen Heil (Mailinglisten) > Sent: Thursday, May 17, 2012 10:39 PM > To: Steffen Heil (Mailinglisten); Jan Engelhardt > Cc: netfilter@vger.kernel.org > Subject: RE: AW: How to mark packet by reqid? > > BTW, if that helps, here is some information about my systems. > (Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully > updated.) > > > root@vpn-a:~# iptables --version > iptables v1.4.12 > > > root@vpn-a:~# uname -a > Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012 > x86_64 x86_64 x86_64 GNU/Linux > > > root@vpn-a:~# lsmod > Module Size Used by > xt_policy 12670 1 > xt_esp 12529 0 > iptable_mangle 12734 1 > xt_mark 12563 2 > ip_tables 27473 1 iptable_mangle > x_tables 29846 5 > xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables > authenc 17582 2 > xfrm6_mode_tunnel 12639 2 > xfrm4_mode_tunnel 12639 4 > xfrm_user 31825 2 > xfrm4_tunnel 12779 0 > tunnel4 13213 1 xfrm4_tunnel > ipcomp 12673 0 > xfrm_ipcomp 13556 1 ipcomp > esp4 17061 2 > ah4 12885 0 > deflate 12617 0 > zlib_deflate 27139 1 deflate > ctr 13201 0 > twofish_generic 16635 0 > twofish_x86_64_3way 25287 0 > twofish_x86_64 12867 1 twofish_x86_64_3way > twofish_common 20919 3 > twofish_generic,twofish_x86_64_3way,twofish_x86_64 > camellia 29348 0 > serpent 29125 0 > blowfish_generic 12530 0 > blowfish_x86_64 21466 0 > blowfish_common 16699 2 blowfish_generic,blowfish_x86_64 > cast5 25112 0 > des_generic 21415 0 > xcbc 12815 0 > rmd160 16744 0 > sha512_generic 12796 0 > crypto_null 12918 0 > af_key 36389 0 > xfs 836508 1 [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Nix-AW: AW: How to mark packet by reqid? 2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten) 2012-05-17 20:39 ` Steffen Heil (Mailinglisten) @ 2012-05-25 9:43 ` Jan Engelhardt 1 sibling, 0 replies; 9+ messages in thread From: Jan Engelhardt @ 2012-05-25 9:43 UTC (permalink / raw) To: Steffen Heil (Mailinglisten); +Cc: netfilter On Thursday 2012-05-17 22:15, Steffen Heil (Mailinglisten) wrote: > >> >> xt_esp generates debug output if you have "printk" sysctl set to show >it. >> >How would I do so? I never used sysctl for anything but enabling ip >> >forwarding.... >> sysctl -w kernel.printk="7 7 7 7" > >I did. And I tried ># echo "7 7 7 7" > /proc/sys/kernel/printk > >Nothing appears on `dmesg`. Sigh. Then I don't know, but it ought to be enabled somehow at runtime, this awesome dynamic printk thing. (provided it's compiled) >Also I noticed that xt_esp was not loaded automatically. I had to load it >using `insmod`. Is modprobe broken on your system? It is loaded automatically (try_then_request_module from the kernel). >But note, that I could not use -m esp --espspi either, see below. > >> ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK >> >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi" >> --espspi per manpage. > >-m esp --espspi XXXXX >Or >-m polixy --spi XXXXX --dir in > >The later does not match, but I cannot even get the former one to be >accepted: > ># iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK >--set-mark 1 >iptables: No chain/target/match by that name. So, kernel without mangle table or without xt_esp or without MARK. Pretty easy: modprobe -q xt_esp ls -dl /sys/module/xt_esp etc. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid? 2012-05-16 6:51 ` Jan Engelhardt 2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten) @ 2012-05-19 11:33 ` Steffen Heil (Mailinglisten) 1 sibling, 0 replies; 9+ messages in thread From: Steffen Heil (Mailinglisten) @ 2012-05-19 11:33 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 936 bytes --] Hi First of all, sorry for the previous posts. After taking some time off and giving this a fresh look, I realized I did not only do some copy and paste errors for these mails, but also my focus for the correct matching conditions was that fixed, that I totally overlooked having "-D" instead of "-A" in some of my commands. Obviously they didn't work... My sincere apologies for that. Now, I got the following working: iptables -t mangle -A PREROUTING --proto esp -m esp --espspi 0xc522b7f3 -j MARK --set-mark 1 I tried to transform that to iptables -t mangle -A PREROUTING --proto esp -m policy --spi 0xc522b7f3 -j MARK --dir in --set-mark 1 But then it does not work anymore. Is there any fundamental difference between those conditions that I do not understand? Note: My original target was to use reqid instead of spi, because I can fix the reqid and the filewall rules should be independent of IKE... Regards, Steffen [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 6566 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-05-25 9:43 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-05-15 22:44 How to mark packet by reqid? Steffen Heil (Mailinglisten) 2012-05-15 23:23 ` Jan Engelhardt 2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten) 2012-05-16 6:51 ` Jan Engelhardt 2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten) 2012-05-17 20:39 ` Steffen Heil (Mailinglisten) 2012-05-18 9:35 ` Steffen Heil (Mailinglisten) 2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt 2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.