* Fwd: Can Netfilter "mark" be used with setkey spdadd?
@ 2010-06-16 16:21 Ajay Lele
2010-06-16 18:21 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Ajay Lele @ 2010-06-16 16:21 UTC (permalink / raw)
To: netfilter
Had posted this question to ipsec-tools mailing lists but no reply..
so sending on Netfilter list in case someone has a clue. Thx
-------
Hi,
I am working on a VPN solution where packets entering Linux box are
manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
manipulation is such that packets destined for different sites end up
getting the same src/dst IP address when they reach the Netfilter
POSTROUTING chain. However a different "mark" is set using the
IPTables mark target by which packets destined for different sites can
be distinguished from one another. Is there a way I can use this mark
value while creating security policy using setkey spdadd so that
packets are sent over respective tunnels (tunnels are created
manually)
Thanks in advance
Regards
Ajay
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
2010-06-16 16:21 Fwd: Can Netfilter "mark" be used with setkey spdadd? Ajay Lele
@ 2010-06-16 18:21 ` Jan Engelhardt
2010-06-17 1:24 ` Ajay Lele
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-06-16 18:21 UTC (permalink / raw)
To: Ajay Lele; +Cc: netfilter
On Wednesday 2010-06-16 18:21, Ajay Lele wrote:
>
>I am working on a VPN solution where packets entering Linux box are
>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>manipulation is such that packets destined for different sites end up
>getting the same src/dst IP address when they reach the Netfilter
>POSTROUTING chain. However a different "mark" is set using the
>IPTables mark target by which packets destined for different sites can
>be distinguished from one another. Is there a way I can use this mark
>value while creating security policy using setkey spdadd so that
>packets are sent over respective tunnels (tunnels are created
>manually)
A packet can be marked when it enters the machine and retains the
mark as long as it exists, even across transformation.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
2010-06-16 18:21 ` Jan Engelhardt
@ 2010-06-17 1:24 ` Ajay Lele
2010-06-17 7:36 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Ajay Lele @ 2010-06-17 1:24 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter
On Wed, Jun 16, 2010 at 11:21 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Wednesday 2010-06-16 18:21, Ajay Lele wrote:
>>
>>I am working on a VPN solution where packets entering Linux box are
>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>manipulation is such that packets destined for different sites end up
>>getting the same src/dst IP address when they reach the Netfilter
>>POSTROUTING chain. However a different "mark" is set using the
>>IPTables mark target by which packets destined for different sites can
>>be distinguished from one another. Is there a way I can use this mark
>>value while creating security policy using setkey spdadd so that
>>packets are sent over respective tunnels (tunnels are created
>>manually)
>
> A packet can be marked when it enters the machine and retains the
> mark as long as it exists, even across transformation.
Thanks for the info, Jan. What I am specifically looking for is
whether Netfilter "mark" value on the outgoing packet can be used to
influence which tunnel the packet is forwarded on. I know it is more a
question for ipsec-tools folks but trying my luck here as nobody
replied on their mailing list
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
2010-06-17 1:24 ` Ajay Lele
@ 2010-06-17 7:36 ` Jan Engelhardt
2010-06-17 7:47 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-06-17 7:36 UTC (permalink / raw)
To: Ajay Lele; +Cc: netfilter
On Thursday 2010-06-17 03:24, Ajay Lele wrote:
>>>
>>>I am working on a VPN solution where packets entering Linux box are
>>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>>manipulation is such that packets destined for different sites end up
>>>getting the same src/dst IP address when they reach the Netfilter
>>>POSTROUTING chain. However a different "mark" is set using the
>>>IPTables mark target by which packets destined for different sites can
>>>be distinguished from one another. Is there a way I can use this mark
>>>value while creating security policy using setkey spdadd so that
>>>packets are sent over respective tunnels (tunnels are created
>>>manually)
>>
>> A packet can be marked when it enters the machine and retains the
>> mark as long as it exists, even across transformation.
>
>Thanks for the info, Jan. What I am specifically looking for is
>whether Netfilter "mark" value on the outgoing packet can be used to
>influence which tunnel the packet is forwarded on. I know it is more a
>question for ipsec-tools folks but trying my luck here as nobody
>replied on their mailing list
Sounds like you found a missing feature. I certainly did not find
any mention of mark or realm in `ip xfrm policy help`.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
2010-06-17 7:36 ` Jan Engelhardt
@ 2010-06-17 7:47 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2010-06-17 7:47 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Ajay Lele, netfilter
Jan Engelhardt wrote:
> On Thursday 2010-06-17 03:24, Ajay Lele wrote:
>
>>>> I am working on a VPN solution where packets entering Linux box are
>>>> manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>>> manipulation is such that packets destined for different sites end up
>>>> getting the same src/dst IP address when they reach the Netfilter
>>>> POSTROUTING chain. However a different "mark" is set using the
>>>> IPTables mark target by which packets destined for different sites can
>>>> be distinguished from one another. Is there a way I can use this mark
>>>> value while creating security policy using setkey spdadd so that
>>>> packets are sent over respective tunnels (tunnels are created
>>>> manually)
>>>>
>>> A packet can be marked when it enters the machine and retains the
>>> mark as long as it exists, even across transformation.
>>>
>> Thanks for the info, Jan. What I am specifically looking for is
>> whether Netfilter "mark" value on the outgoing packet can be used to
>> influence which tunnel the packet is forwarded on. I know it is more a
>> question for ipsec-tools folks but trying my luck here as nobody
>> replied on their mailing list
>>
>
> Sounds like you found a missing feature. I certainly did not find
> any mention of mark or realm in `ip xfrm policy help`.
Its supported since .34:
commit fb977e2ca607a7e74946a1de798f474d1b80b9d6
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Tue Feb 23 15:09:53 2010 -0800
xfrm: clone mark when cloning policy
When we clone the SP, we should also clone the mark.
Useful for socket based SPs.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 295fae568885a93c39a0e29a9455054608b6cc0e
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 22 11:33:00 2010 +0000
xfrm: Allow user space manipulation of SPD mark
Add ability for netlink userspace to manipulate the SPD
and manipulate the mark, retrieve it and get events with a defined
mark, etc.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 6f26b61e177e57a41795355f6222cf817f1212dc
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 22 11:32:59 2010 +0000
xfrm: Allow user space config of SAD mark
Add ability for netlink userspace to manipulate the SAD
and manipulate the mark, retrieve it and get events with a defined
mark.
MIGRATE may be added later.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 34f8d8846f69f3b5bc3916ba9145e4eebae9394e
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 22 11:32:58 2010 +0000
xfrm: SP lookups with mark
Allow mark to be used when doing SP lookup
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 8ca2e93b557f2a0b35f7769038abf600177e1122
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Mon Feb 22 11:32:57 2010 +0000
xfrm: SP lookups signature with mark
pass mark to all SP lookups to prepare them for when we add code
to have them search.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-06-17 7:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-06-16 16:21 Fwd: Can Netfilter "mark" be used with setkey spdadd? Ajay Lele
2010-06-16 18:21 ` Jan Engelhardt
2010-06-17 1:24 ` Ajay Lele
2010-06-17 7:36 ` Jan Engelhardt
2010-06-17 7:47 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.