How to mark packet by reqid?

How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 4174 bytes --]

Hi

I have the following problem. I have SAs that use firewall marks. So only
packets that have that mark get encoded and decoded.
I managed to set the mark for packets that shall be encoded but I cannot get
the other side working.

I have incoming packets that need to be decrypted and I need to set the
correct mark for those.
I CAN actually set the mark using the following command:

  iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1

BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
and I need to set different marks.
I tried to use select by reqid or by spi, but as soon as I try that, the
rule does not match anything any more.

Can someone help me to get that iptables command right?

Best regards,
  Steffen



root@vpn-b:~# setkey -D
10.5.0.2 10.5.0.1
        esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
        E: aes-cbc  c5eb72ab 906d5717 67e405f5 cfe73f7a
        A: hmac-sha1  6935290e e51f0965 06577876 0d6237d6 45a0083d
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 15 22:23:06 2012   current: May 15 22:24:43 2012
        diff: 97(s)     hard: 1200(s)   soft: 907(s)
        last: May 15 22:23:19 2012      hard: 0(s)      soft: 0(s)
        current: 7140(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 85   hard: 0 soft: 0
        sadb_seq=1 pid=8282 refcnt=0
10.5.0.1 10.5.0.2
        esp mode=tunnel spi=3470192236(0xced6ee6c) reqid=1(0x00000001)
        E: aes-cbc  e6fad1a5 ff31325b b4856748 c8997ea1
        A: hmac-sha1  e401cc9d 59668c9f 866d7e86 b5a38d2c 1dcb2f2d
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 15 22:23:06 2012   current: May 15 22:24:43 2012
        diff: 97(s)     hard: 1200(s)   soft: 888(s)
        last: May 15 22:23:19 2012      hard: 0(s)      soft: 0(s)
        current: 7140(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 85   hard: 0 soft: 0
        sadb_seq=0 pid=8282 refcnt=0

root@vpn-b:~# ip -s xfrm policy
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
        dir fwd action allow index 1218 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-15 22:08:11 use 2012-05-15 22:18:27
        mark 1/0xffffffff
        tmpl src 10.5.0.1 dst 10.5.0.2
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
        dir in action allow index 1208 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-15 22:08:11 use -
        mark 1/0xffffffff
        tmpl src 10.5.0.1 dst 10.5.0.2
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
        dir out action allow index 1201 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-15 22:08:11 use 2012-05-15 22:18:27
        mark 1/0xffffffff
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

Re: How to mark packet by reqid?

[Jan Engelhardt]

On Wednesday 2012-05-16 00:44, Steffen Heil (Mailinglisten) wrote:
>
>I have incoming packets that need to be decrypted and I need to set the
>correct mark for those.
>I CAN actually set the mark using the following command:
>
>  iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
>
>BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
>and I need to set different marks.
>I tried to use select by reqid or by spi, but as soon as I try that, the
>rule does not match anything any more.

xt_esp generates debug output if you have "printk" sysctl set to show it.

>Can someone help me to get that iptables command right?

 -t mangle -A PREROUTING -p esp --spi 0xc480f134 -j MARK --set-mark 1

>10.5.0.2 10.5.0.1
>        esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
>        E: aes-cbc  c5eb72ab 906d5717 67e405f5 cfe73f7a
>        A: hmac-sha1  6935290e e51f0965 06577876 0d6237d6 45a0083d
>        seq=0x00000000 replay=32 flags=0x00000000 state=mature
>        created: May 15 22:23:06 2012   current: May 15 22:24:43 2012
>        diff: 97(s)     hard: 1200(s)   soft: 907(s)
>        last: May 15 22:23:19 2012      hard: 0(s)      soft: 0(s)
>        current: 7140(bytes)    hard: 0(bytes)  soft: 0(bytes)
>        allocated: 85   hard: 0 soft: 0
>        sadb_seq=1 pid=8282 refcnt=0

AW: How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 6530 bytes --]

Hi


First, thanks for the answer, but I am stuck with those:


> xt_esp generates debug output if you have "printk" sysctl set to show it.

How would I do so? I never used sysctl for anything but enabling ip
forwarding....


Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
sate` and `setkey -D`.
I noticed, 
- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
- `setkey -D` contains "spi=3243547107(0xc15499e3)".
- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".

Is this to be expected?


Third, I tried you command:

# iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: Gives: unknown option "--spi"

# iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: policy match: neither --dir in nor --dir out specified

# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
out -j MARK --set-mark 1
iptables: Invalid argument. Run `dmesg' for more information.

# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1

That worked, however I still don't get the packets through.

Because of the different spi information mentioned above, I also tried:

# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1

Same result: Accepted but not matched.
I can still get it to work removing the conditions, so everything else is
fine:

# iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1


I am still stuck and very thankful for every hint...


Regards,
  Steffen




# setkey -D
10.5.0.1 10.5.0.2
        esp mode=tunnel spi=3243547107(0xc15499e3) reqid=1(0x00000001)
        E: aes-cbc  49e40f42 d0df7e1e 7202ad2e c45110bd
        A: hmac-sha1  afa4eefd b81a952d 68f9cf88 3287715b 3d4ae624
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 16 06:02:36 2012   current: May 16 06:16:15 2012
        diff: 819(s)    hard: 1200(s)   soft: 896(s)
        last: May 16 06:12:04 2012      hard: 0(s)      soft: 0(s)
        current: 21168(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 252  hard: 0 soft: 0
        sadb_seq=1 pid=11397 refcnt=0
10.5.0.2 10.5.0.1
        esp mode=tunnel spi=3456023313(0xcdfebb11) reqid=1(0x00000001)
        E: aes-cbc  d5bcb28b 0378d65a 97ac2757 1afa6ff8
        A: hmac-sha1  1eeb8605 db1f4cc9 c3a4dc22 1a3306d2 b9928a9c
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 16 06:02:36 2012   current: May 16 06:16:15 2012
        diff: 819(s)    hard: 1200(s)   soft: 1014(s)
        last: May 16 06:12:04 2012      hard: 0(s)      soft: 0(s)
        current: 2100(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 25   hard: 0 soft: 0
        sadb_seq=0 pid=11397 refcnt=0


# ip -s  xfrm policy
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
        dir fwd action allow index 1530 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-16 06:16:40 use -
        mark 1/0xffffffff
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
        dir in action allow index 1520 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-16 06:16:40 use -
        mark 1/0xffffffff
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
        dir out action allow index 1513 priority 1859 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-16 06:16:40 use 2012-05-16 06:24:57
        mark 1/0xffffffff
        tmpl src 10.5.0.1 dst 10.5.0.2
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff


# ip -s  xfrm state
src 10.5.0.1 dst 10.5.0.2
        proto esp spi 0xc4b51d18(3300203800) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0x597784c0a0905a2346a797daaa79145e17b1a2ca
(160 bits) 96
        enc cbc(aes) 0xd44a6ec5f13010267a2d145f9564b75e (128 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 884(sec), hard 1200(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          49476(bytes), 589(packets)
          add 2012-05-16 06:16:40 use 2012-05-16 06:16:41
        stats:
          replay-window 0 replay 0 failed 0
src 10.5.0.2 dst 10.5.0.1
        proto esp spi 0xc2f9a112(3271139602) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0x98af746b619e7d723696b2f67fc46a127fde097a
(160 bits) 96
        enc cbc(aes) 0xef5b3d9a4a0cb8c9cc9787dbba0c7c9c (128 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 907(sec), hard 1200(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-16 06:16:40 use -
        stats:
          replay-window 0 replay 0 failed 0


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

Re: AW: How to mark packet by reqid?

[Jan Engelhardt]

On Wednesday 2012-05-16 08:34, Steffen Heil (Mailinglisten) wrote:
>
>> xt_esp generates debug output if you have "printk" sysctl set to show it.
>
>How would I do so? I never used sysctl for anything but enabling ip
>forwarding....

sysctl -w kernel.printk="7 7 7 7"

is probably one way.

>Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
>sate` and `setkey -D`.
>I noticed, 
>- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
>- `setkey -D` contains "spi=3243547107(0xc15499e3)".
>- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
>
>Is this to be expected?

It is not unusual to see `ip -s x p` showing spi 0.
About setkey I don't know, since openswan and I don't use that.
Better trust `ip x s`.
Also note that there may be a handful of SPIs live between peers,
not just a single one.

>Third, I tried you command:
>
># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: Gives: unknown option "--spi"

 --espspi per manpage.

># iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: policy match: neither --dir in nor --dir out specified

Your command does not match your output.


># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>out -j MARK --set-mark 1
>iptables: Invalid argument. Run `dmesg' for more information.

See dmesg. (Well, it told you that.)


># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>in -j MARK --set-mark 1
>
>That worked, however I still don't get the packets through.

Why don't you try --espspi 0xc4b51d18 for a change, since that is
(one value) from those obtained from ip x s.

AW: AW: How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 1921 bytes --]

Hi again,


Lots of experiments later, but still no luck....


> >> xt_esp generates debug output if you have "printk" sysctl set to show
it.
> >How would I do so? I never used sysctl for anything but enabling ip
> >forwarding....
> sysctl -w kernel.printk="7 7 7 7"

I did. And I tried 
# echo "7 7 7 7" > /proc/sys/kernel/printk

Nothing appears on `dmesg`.
Also I noticed that xt_esp was not loaded automatically. I had to load it
using `insmod`. Still no output.
But note, that I could not use -m esp --espspi either, see below.


> ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
> >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi"
>  --espspi per manpage.

-m esp --espspi XXXXX
Or
-m polixy --spi XXXXX --dir in

The later does not match, but I cannot even get the former one to be
accepted:

# iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.

# iptables -t mangle -D PREROUTING -p esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.

# iptables -t mangle -D PREROUTING -m esp --espspi 0xcde0e1ca -j MARK
--set-mark 1
iptables: No chain/target/match by that name.

Is there a way to find out what's wrong here?


> Why don't you try --espspi 0xc4b51d18 for a change, since that is (one
value)
> from those obtained from ip x s.

--espspi does not work at all - iptables complains, see above.
Also, I tried  -m polixy --spi XXXX -dir in  for all spi codes I could find
anywhere - it never matched..


BTW: If matching the SPI is a problem, I would prefer matching reqid anyway.
But for now it would suffice to match any of those.


I am really stuck here. Any hints are still welcome.
Also I would be glad, if I could chat with someone using msn messenger or
mirc or anything. I could also provide ssh root access to these machines...


Regards,
   Steffen


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

RE: AW: How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 1732 bytes --]

BTW, if that helps, here is some information about my systems.
(Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully
updated.)


root@vpn-a:~# iptables --version
iptables v1.4.12


root@vpn-a:~# uname -a
Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012
x86_64 x86_64 x86_64 GNU/Linux


root@vpn-a:~# lsmod
Module                  Size  Used by
xt_policy              12670  1
xt_esp                 12529  0
iptable_mangle         12734  1
xt_mark                12563  2
ip_tables              27473  1 iptable_mangle
x_tables               29846  5
xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables
authenc                17582  2
xfrm6_mode_tunnel      12639  2
xfrm4_mode_tunnel      12639  4
xfrm_user              31825  2
xfrm4_tunnel           12779  0
tunnel4                13213  1 xfrm4_tunnel
ipcomp                 12673  0
xfrm_ipcomp            13556  1 ipcomp
esp4                   17061  2
ah4                    12885  0
deflate                12617  0
zlib_deflate           27139  1 deflate
ctr                    13201  0
twofish_generic        16635  0
twofish_x86_64_3way    25287  0
twofish_x86_64         12867  1 twofish_x86_64_3way
twofish_common         20919  3
twofish_generic,twofish_x86_64_3way,twofish_x86_64
camellia               29348  0
serpent                29125  0
blowfish_generic       12530  0
blowfish_x86_64        21466  0
blowfish_common        16699  2 blowfish_generic,blowfish_x86_64
cast5                  25112  0
des_generic            21415  0
xcbc                   12815  0
rmd160                 16744  0
sha512_generic         12796  0
crypto_null            12918  0
af_key                 36389  0
xfs                   836508  1


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

RE: AW: How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

Another fact:

I added a logging rule and I got logged:

May 18 09:27:00 vpn-a kernel: [49503.963182] mangle_PREROUTING: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=56019 PROTO=ESP SPI=0xc89f8130

My mange / POSTROUTING rules:

-s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark 0x1/0xffffffff
-p esp -m policy --dir in --pol ipsec --spi 0xc89f8130 -j MARK --set-xmark
0x1/0xffffffff
-p esp -m policy --dir in --pol ipsec --reqid 1 -j MARK --set-xmark
0x1/0xffffffff
-j LOG --log-prefix "mangle_PREROUTING: "

Yet the packet did not get marked...
I start to believe this is a bug.

Regards,
  Steffen


> -----Original Message-----
> From: Steffen Heil (Mailinglisten)
> Sent: Thursday, May 17, 2012 10:39 PM
> To: Steffen Heil (Mailinglisten); Jan Engelhardt
> Cc: netfilter@vger.kernel.org
> Subject: RE: AW: How to mark packet by reqid?
> 
> BTW, if that helps, here is some information about my systems.
> (Ubuntu 12.04 LTS Precise Pangolin, currently virtual, 64bit, fully
> updated.)
> 
> 
> root@vpn-a:~# iptables --version
> iptables v1.4.12
> 
> 
> root@vpn-a:~# uname -a
> Linux vpn-a 3.2.0-24-virtual #37-Ubuntu SMP Wed Apr 25 10:17:19 UTC 2012
> x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> root@vpn-a:~# lsmod
> Module                  Size  Used by
> xt_policy              12670  1
> xt_esp                 12529  0
> iptable_mangle         12734  1
> xt_mark                12563  2
> ip_tables              27473  1 iptable_mangle
> x_tables               29846  5
> xt_policy,xt_esp,iptable_mangle,xt_mark,ip_tables
> authenc                17582  2
> xfrm6_mode_tunnel      12639  2
> xfrm4_mode_tunnel      12639  4
> xfrm_user              31825  2
> xfrm4_tunnel           12779  0
> tunnel4                13213  1 xfrm4_tunnel
> ipcomp                 12673  0
> xfrm_ipcomp            13556  1 ipcomp
> esp4                   17061  2
> ah4                    12885  0
> deflate                12617  0
> zlib_deflate           27139  1 deflate
> ctr                    13201  0
> twofish_generic        16635  0
> twofish_x86_64_3way    25287  0
> twofish_x86_64         12867  1 twofish_x86_64_3way
> twofish_common         20919  3
> twofish_generic,twofish_x86_64_3way,twofish_x86_64
> camellia               29348  0
> serpent                29125  0
> blowfish_generic       12530  0
> blowfish_x86_64        21466  0
> blowfish_common        16699  2 blowfish_generic,blowfish_x86_64
> cast5                  25112  0
> des_generic            21415  0
> xcbc                   12815  0
> rmd160                 16744  0
> sha512_generic         12796  0
> crypto_null            12918  0
> af_key                 36389  0
> xfs                   836508  1


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

RE: AW: How to mark packet by reqid?

[Steffen Heil (Mailinglisten)]

[-- Attachment #1: Type: text/plain, Size: 936 bytes --]

Hi

First of all, sorry for the previous posts. After taking some time off and
giving this a fresh look, I realized I did not only do some copy and paste
errors for these mails, but also my focus for the correct matching
conditions was that fixed, that I totally overlooked having "-D" instead of
"-A" in some of my commands. Obviously they didn't work...

My sincere apologies for that.

Now, I got the following working:

iptables -t mangle -A PREROUTING --proto esp -m esp --espspi 0xc522b7f3 -j
MARK --set-mark 1

I tried to transform that to 

iptables -t mangle -A PREROUTING --proto esp -m policy --spi 0xc522b7f3 -j
MARK --dir in --set-mark 1

But then it does not work anymore. Is there any fundamental difference
between those conditions that I do not understand?
Note: My original target was to use reqid instead of spi, because I can fix
the reqid and the filewall rules should be independent of IKE...

Regards,
  Steffen


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6566 bytes --]

Re: Nix-AW: AW: How to mark packet by reqid?

[Jan Engelhardt]

On Thursday 2012-05-17 22:15, Steffen Heil (Mailinglisten) wrote:
>
>> >> xt_esp generates debug output if you have "printk" sysctl set to show
>it.
>> >How would I do so? I never used sysctl for anything but enabling ip
>> >forwarding....
>> sysctl -w kernel.printk="7 7 7 7"
>
>I did. And I tried 
># echo "7 7 7 7" > /proc/sys/kernel/printk
>
>Nothing appears on `dmesg`.

Sigh. Then I don't know, but it ought to be enabled somehow at runtime,
this awesome dynamic printk thing. (provided it's compiled)


>Also I noticed that xt_esp was not loaded automatically. I had to load it
>using `insmod`.

Is modprobe broken on your system? It is loaded automatically
(try_then_request_module from the kernel).

>But note, that I could not use -m esp --espspi either, see below.
>
>> ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
>> >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi"
>>  --espspi per manpage.
>
>-m esp --espspi XXXXX
>Or
>-m polixy --spi XXXXX --dir in
>
>The later does not match, but I cannot even get the former one to be
>accepted:
>
># iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK
>--set-mark 1
>iptables: No chain/target/match by that name.

So, kernel without mangle table or without xt_esp or without MARK.
Pretty easy:
	modprobe -q xt_esp
	ls -dl /sys/module/xt_esp
etc.