* How to mark packet by reqid?
@ 2012-05-15 22:44 Steffen Heil (Mailinglisten)
2012-05-15 23:23 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-15 22:44 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 4174 bytes --]
Hi
I have the following problem. I have SAs that use firewall marks. So only
packets that have that mark get encoded and decoded.
I managed to set the mark for packets that shall be encoded but I cannot get
the other side working.
I have incoming packets that need to be decrypted and I need to set the
correct mark for those.
I CAN actually set the mark using the following command:
iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
and I need to set different marks.
I tried to use select by reqid or by spi, but as soon as I try that, the
rule does not match anything any more.
Can someone help me to get that iptables command right?
Best regards,
Steffen
root@vpn-b:~# setkey -D
10.5.0.2 10.5.0.1
esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
E: aes-cbc c5eb72ab 906d5717 67e405f5 cfe73f7a
A: hmac-sha1 6935290e e51f0965 06577876 0d6237d6 45a0083d
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 15 22:23:06 2012 current: May 15 22:24:43 2012
diff: 97(s) hard: 1200(s) soft: 907(s)
last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s)
current: 7140(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 85 hard: 0 soft: 0
sadb_seq=1 pid=8282 refcnt=0
10.5.0.1 10.5.0.2
esp mode=tunnel spi=3470192236(0xced6ee6c) reqid=1(0x00000001)
E: aes-cbc e6fad1a5 ff31325b b4856748 c8997ea1
A: hmac-sha1 e401cc9d 59668c9f 866d7e86 b5a38d2c 1dcb2f2d
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 15 22:23:06 2012 current: May 15 22:24:43 2012
diff: 97(s) hard: 1200(s) soft: 888(s)
last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s)
current: 7140(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 85 hard: 0 soft: 0
sadb_seq=0 pid=8282 refcnt=0
root@vpn-b:~# ip -s xfrm policy
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
dir fwd action allow index 1218 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-15 22:08:11 use 2012-05-15 22:18:27
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
dir in action allow index 1208 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-15 22:08:11 use -
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir out action allow index 1201 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-15 22:08:11 use 2012-05-15 22:18:27
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: How to mark packet by reqid?
2012-05-15 22:44 How to mark packet by reqid? Steffen Heil (Mailinglisten)
@ 2012-05-15 23:23 ` Jan Engelhardt
2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten)
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2012-05-15 23:23 UTC (permalink / raw)
To: Steffen Heil (Mailinglisten); +Cc: netfilter
On Wednesday 2012-05-16 00:44, Steffen Heil (Mailinglisten) wrote:
>
>I have incoming packets that need to be decrypted and I need to set the
>correct mark for those.
>I CAN actually set the mark using the following command:
>
> iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
>
>BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
>and I need to set different marks.
>I tried to use select by reqid or by spi, but as soon as I try that, the
>rule does not match anything any more.
xt_esp generates debug output if you have "printk" sysctl set to show it.
>Can someone help me to get that iptables command right?
-t mangle -A PREROUTING -p esp --spi 0xc480f134 -j MARK --set-mark 1
>10.5.0.2 10.5.0.1
> esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
> E: aes-cbc c5eb72ab 906d5717 67e405f5 cfe73f7a
> A: hmac-sha1 6935290e e51f0965 06577876 0d6237d6 45a0083d
> seq=0x00000000 replay=32 flags=0x00000000 state=mature
> created: May 15 22:23:06 2012 current: May 15 22:24:43 2012
> diff: 97(s) hard: 1200(s) soft: 907(s)
> last: May 15 22:23:19 2012 hard: 0(s) soft: 0(s)
> current: 7140(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 85 hard: 0 soft: 0
> sadb_seq=1 pid=8282 refcnt=0
^ permalink raw reply [flat|nested] 9+ messages in thread
* AW: How to mark packet by reqid?
2012-05-15 23:23 ` Jan Engelhardt
@ 2012-05-16 6:34 ` Steffen Heil (Mailinglisten)
2012-05-16 6:51 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-16 6:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 6530 bytes --]
Hi
First, thanks for the answer, but I am stuck with those:
> xt_esp generates debug output if you have "printk" sysctl set to show it.
How would I do so? I never used sysctl for anything but enabling ip
forwarding....
Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
sate` and `setkey -D`.
I noticed,
- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
- `setkey -D` contains "spi=3243547107(0xc15499e3)".
- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
Is this to be expected?
Third, I tried you command:
# iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: Gives: unknown option "--spi"
# iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: policy match: neither --dir in nor --dir out specified
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
out -j MARK --set-mark 1
iptables: Invalid argument. Run `dmesg' for more information.
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
That worked, however I still don't get the packets through.
Because of the different spi information mentioned above, I also tried:
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
Same result: Accepted but not matched.
I can still get it to work removing the conditions, so everything else is
fine:
# iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
I am still stuck and very thankful for every hint...
Regards,
Steffen
# setkey -D
10.5.0.1 10.5.0.2
esp mode=tunnel spi=3243547107(0xc15499e3) reqid=1(0x00000001)
E: aes-cbc 49e40f42 d0df7e1e 7202ad2e c45110bd
A: hmac-sha1 afa4eefd b81a952d 68f9cf88 3287715b 3d4ae624
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 896(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 21168(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 252 hard: 0 soft: 0
sadb_seq=1 pid=11397 refcnt=0
10.5.0.2 10.5.0.1
esp mode=tunnel spi=3456023313(0xcdfebb11) reqid=1(0x00000001)
E: aes-cbc d5bcb28b 0378d65a 97ac2757 1afa6ff8
A: hmac-sha1 1eeb8605 db1f4cc9 c3a4dc22 1a3306d2 b9928a9c
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 1014(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 2100(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 25 hard: 0 soft: 0
sadb_seq=0 pid=11397 refcnt=0
# ip -s xfrm policy
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir fwd action allow index 1530 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir in action allow index 1520 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
dir out action allow index 1513 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:24:57
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
# ip -s xfrm state
src 10.5.0.1 dst 10.5.0.2
proto esp spi 0xc4b51d18(3300203800) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x597784c0a0905a2346a797daaa79145e17b1a2ca
(160 bits) 96
enc cbc(aes) 0xd44a6ec5f13010267a2d145f9564b75e (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 884(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
49476(bytes), 589(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:16:41
stats:
replay-window 0 replay 0 failed 0
src 10.5.0.2 dst 10.5.0.1
proto esp spi 0xc2f9a112(3271139602) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x98af746b619e7d723696b2f67fc46a127fde097a
(160 bits) 96
enc cbc(aes) 0xef5b3d9a4a0cb8c9cc9787dbba0c7c9c (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 907(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
stats:
replay-window 0 replay 0 failed 0
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: AW: How to mark packet by reqid?
2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten)
@ 2012-05-16 6:51 ` Jan Engelhardt
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
0 siblings, 2 replies; 9+ messages in thread
From: Jan Engelhardt @ 2012-05-16 6:51 UTC (permalink / raw)
To: Steffen Heil (Mailinglisten); +Cc: netfilter
On Wednesday 2012-05-16 08:34, Steffen Heil (Mailinglisten) wrote:
>
>> xt_esp generates debug output if you have "printk" sysctl set to show it.
>
>How would I do so? I never used sysctl for anything but enabling ip
>forwarding....
sysctl -w kernel.printk="7 7 7 7"
is probably one way.
>Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
>sate` and `setkey -D`.
>I noticed,
>- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
>- `setkey -D` contains "spi=3243547107(0xc15499e3)".
>- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
>
>Is this to be expected?
It is not unusual to see `ip -s x p` showing spi 0.
About setkey I don't know, since openswan and I don't use that.
Better trust `ip x s`.
Also note that there may be a handful of SPIs live between peers,
not just a single one.
>Third, I tried you command:
>
># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: Gives: unknown option "--spi"
--espspi per manpage.
># iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: policy match: neither --dir in nor --dir out specified
Your command does not match your output.
># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>out -j MARK --set-mark 1
>iptables: Invalid argument. Run `dmesg' for more information.
See dmesg. (Well, it told you that.)
># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>in -j MARK --set-mark 1
>
>That worked, however I still don't get the packets through.
Why don't you try --espspi 0xc4b51d18 for a change, since that is
(one value) from those obtained from ip x s.
^ permalink raw reply [flat|nested] 9+ messages in thread
* AW: AW: How to mark packet by reqid?
2012-05-16 6:51 ` Jan Engelhardt
@ 2012-05-17 20:15 ` Steffen Heil (Mailinglisten)
2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt
2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
1 sibling, 2 replies; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-17 20:15 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1921 bytes --]
Hi again,
Lots of experiments later, but still no luck....
> >> xt_esp generates debug output if you have "printk" sysctl set to show
it.
> >How would I do so? I never used sysctl for anything but enabling ip
> >forwarding....
> sysctl -w kernel.printk="7 7 7 7"
I did. And I tried
# echo "7 7 7 7" > /proc/sys/kernel/printk
Nothing appears on `dmesg`.
Also I noticed that xt_esp was not loaded automatically. I had to load it
using `insmod`. Still no output.
But note, that I could not use -m esp --espspi either, see below.
> ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
> >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi"
> --espspi per manpage.
-m esp --espspi XXXXX
Or
-m polixy --spi XXXXX --dir in
The later does not match, but I cannot even get the former one to be
accepted:
# iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.
# iptables -t mangle -D PREROUTING -p esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.
# iptables -t mangle -D PREROUTING -m esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.
Is there a way to find out what's wrong here?
> Why don't you try --espspi 0xc4b51d18 for a change, since that is (one
value)
> from those obtained from ip x s.
--espspi does not work at all - iptables complains, see above.
Also, I tried -m polixy --spi XXXX -dir in for all spi codes I could find
anywhere - it never matched..
BTW: If matching the SPI is a problem, I would prefer matching reqid anyway.
But for now it would suffice to match any of those.
I am really stuck here. Any hints are still welcome.
Also I would be glad, if I could chat with someone using msn messenger or
mirc or anything. I could also provide ssh root access to these machines...
Regards,
Steffen
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid?
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
@ 2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
2012-05-18 9:35 ` Steffen Heil (Mailinglisten)
2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt
1 sibling, 1 reply; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-17 20:39 UTC (permalink / raw)
To: Steffen Heil (Mailinglisten), Jan Engelhardt; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1732 bytes --]
BTW, if that helps, here is some information about my systems.
(Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully
updated.)
root@vpn-a:~# iptables --version
iptables v1.4.12
root@vpn-a:~# uname -a
Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012
x86_64 x86_64 x86_64 GNU/Linux
root@vpn-a:~# lsmod
Module Size Used by
xt_policy 12670 1
xt_esp 12529 0
iptable_mangle 12734 1
xt_mark 12563 2
ip_tables 27473 1 iptable_mangle
x_tables 29846 5
xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables
authenc 17582 2
xfrm6_mode_tunnel 12639 2
xfrm4_mode_tunnel 12639 4
xfrm_user 31825 2
xfrm4_tunnel 12779 0
tunnel4 13213 1 xfrm4_tunnel
ipcomp 12673 0
xfrm_ipcomp 13556 1 ipcomp
esp4 17061 2
ah4 12885 0
deflate 12617 0
zlib_deflate 27139 1 deflate
ctr 13201 0
twofish_generic 16635 0
twofish_x86_64_3way 25287 0
twofish_x86_64 12867 1 twofish_x86_64_3way
twofish_common 20919 3
twofish_generic,twofish_x86_64_3way,twofish_x86_64
camellia 29348 0
serpent 29125 0
blowfish_generic 12530 0
blowfish_x86_64 21466 0
blowfish_common 16699 2 blowfish_generic,blowfish_x86_64
cast5 25112 0
des_generic 21415 0
xcbc 12815 0
rmd160 16744 0
sha512_generic 12796 0
crypto_null 12918 0
af_key 36389 0
xfs 836508 1
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid?
2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
@ 2012-05-18 9:35 ` Steffen Heil (Mailinglisten)
0 siblings, 0 replies; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-18 9:35 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]
Another fact:
I added a logging rule and I got logged:
May 18 09:27:00 vpn-a kernel: [49503.963182] mangle_PREROUTING: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=56019 PROTO=ESP SPI=0xc89f8130
My mange / POSTROUTING rules:
-s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark 0x1/0xffffffff
-p esp -m policy --dir in --pol ipsec --spi 0xc89f8130 -j MARK --set-xmark
0x1/0xffffffff
-p esp -m policy --dir in --pol ipsec --reqid 1 -j MARK --set-xmark
0x1/0xffffffff
-j LOG --log-prefix "mangle_PREROUTING: "
Yet the packet did not get marked...
I start to believe this is a bug.
Regards,
Steffen
> -----Original Message-----
> From: Steffen Heil (Mailinglisten)
> Sent: Thursday, May 17, 2012 10:39 PM
> To: Steffen Heil (Mailinglisten); Jan Engelhardt
> Cc: netfilter@vger.kernel.org
> Subject: RE: AW: How to mark packet by reqid?
>
> BTW, if that helps, here is some information about my systems.
> (Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully
> updated.)
>
>
> root@vpn-a:~# iptables --version
> iptables v1.4.12
>
>
> root@vpn-a:~# uname -a
> Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012
> x86_64 x86_64 x86_64 GNU/Linux
>
>
> root@vpn-a:~# lsmod
> Module Size Used by
> xt_policy 12670 1
> xt_esp 12529 0
> iptable_mangle 12734 1
> xt_mark 12563 2
> ip_tables 27473 1 iptable_mangle
> x_tables 29846 5
> xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables
> authenc 17582 2
> xfrm6_mode_tunnel 12639 2
> xfrm4_mode_tunnel 12639 4
> xfrm_user 31825 2
> xfrm4_tunnel 12779 0
> tunnel4 13213 1 xfrm4_tunnel
> ipcomp 12673 0
> xfrm_ipcomp 13556 1 ipcomp
> esp4 17061 2
> ah4 12885 0
> deflate 12617 0
> zlib_deflate 27139 1 deflate
> ctr 13201 0
> twofish_generic 16635 0
> twofish_x86_64_3way 25287 0
> twofish_x86_64 12867 1 twofish_x86_64_3way
> twofish_common 20919 3
> twofish_generic,twofish_x86_64_3way,twofish_x86_64
> camellia 29348 0
> serpent 29125 0
> blowfish_generic 12530 0
> blowfish_x86_64 21466 0
> blowfish_common 16699 2 blowfish_generic,blowfish_x86_64
> cast5 25112 0
> des_generic 21415 0
> xcbc 12815 0
> rmd160 16744 0
> sha512_generic 12796 0
> crypto_null 12918 0
> af_key 36389 0
> xfs 836508 1
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: AW: How to mark packet by reqid?
2012-05-16 6:51 ` Jan Engelhardt
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
@ 2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
1 sibling, 0 replies; 9+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-05-19 11:33 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 936 bytes --]
Hi
First of all, sorry for the previous posts. After taking some time off and
giving this a fresh look, I realized I did not only do some copy and paste
errors for these mails, but also my focus for the correct matching
conditions was that fixed, that I totally overlooked having "-D" instead of
"-A" in some of my commands. Obviously they didn't work...
My sincere apologies for that.
Now, I got the following working:
iptables -t mangle -A PREROUTING --proto esp -m esp --espspi 0xc522b7f3 -j
MARK --set-mark 1
I tried to transform that to
iptables -t mangle -A PREROUTING --proto esp -m policy --spi 0xc522b7f3 -j
MARK --dir in --set-mark 1
But then it does not work anymore. Is there any fundamental difference
between those conditions that I do not understand?
Note: My original target was to use reqid instead of spi, because I can fix
the reqid and the filewall rules should be independent of IKE...
Regards,
Steffen
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Nix-AW: AW: How to mark packet by reqid?
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
@ 2012-05-25 9:43 ` Jan Engelhardt
1 sibling, 0 replies; 9+ messages in thread
From: Jan Engelhardt @ 2012-05-25 9:43 UTC (permalink / raw)
To: Steffen Heil (Mailinglisten); +Cc: netfilter
On Thursday 2012-05-17 22:15, Steffen Heil (Mailinglisten) wrote:
>
>> >> xt_esp generates debug output if you have "printk" sysctl set to show
>it.
>> >How would I do so? I never used sysctl for anything but enabling ip
>> >forwarding....
>> sysctl -w kernel.printk="7 7 7 7"
>
>I did. And I tried
># echo "7 7 7 7" > /proc/sys/kernel/printk
>
>Nothing appears on `dmesg`.
Sigh. Then I don't know, but it ought to be enabled somehow at runtime,
this awesome dynamic printk thing. (provided it's compiled)
>Also I noticed that xt_esp was not loaded automatically. I had to load it
>using `insmod`.
Is modprobe broken on your system? It is loaded automatically
(try_then_request_module from the kernel).
>But note, that I could not use -m esp --espspi either, see below.
>
>> ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
>> >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi"
>> --espspi per manpage.
>
>-m esp --espspi XXXXX
>Or
>-m polixy --spi XXXXX --dir in
>
>The later does not match, but I cannot even get the former one to be
>accepted:
>
># iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK
>--set-mark 1
>iptables: No chain/target/match by that name.
So, kernel without mangle table or without xt_esp or without MARK.
Pretty easy:
modprobe -q xt_esp
ls -dl /sys/module/xt_esp
etc.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-05-25 9:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-15 22:44 How to mark packet by reqid? Steffen Heil (Mailinglisten)
2012-05-15 23:23 ` Jan Engelhardt
2012-05-16 6:34 ` AW: " Steffen Heil (Mailinglisten)
2012-05-16 6:51 ` Jan Engelhardt
2012-05-17 20:15 ` AW: " Steffen Heil (Mailinglisten)
2012-05-17 20:39 ` Steffen Heil (Mailinglisten)
2012-05-18 9:35 ` Steffen Heil (Mailinglisten)
2012-05-25 9:43 ` Nix-AW: " Jan Engelhardt
2012-05-19 11:33 ` Steffen Heil (Mailinglisten)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.