Does anybody work on supporting SPD matching Netfilter MARKS?

Does anybody work on supporting SPD matching Netfilter MARKS?

[Ludo Stellingwerff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I was wondering if someone has been working on and/or has a patch
which implement's the use of Netfilter Marks for ipsec spd matching
under the linux kernel 2.6. This would be similar to the NetBSD
"tagged" option of 'setkey':

spdadd tagged "ssh" -P out esp/transport//require

But then something like:

~     spdadd tagged 1 -P out esp/transport//require
or  spdadd mark 1 -P out esp/transport//require

Thank in advance,
greetings,

Ludo Stellingwerff.

- --
Ludo Stellingwerff

V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124

site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7gHeOF3sCpZ+AJgRAvG/AKC6biVC6Z7SlCbUllNu7l6f26MURQCcC8V1
ZKprii65/iT8CwERNQR7UIc=
=KMrV
-----END PGP SIGNATURE-----

Re: Does anybody work on supporting SPD matching Netfilter MARKS?

[Jason Opperisano]

On Wed, 2005-01-19 at 01:44, Ludo Stellingwerff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi All,
> 
> I was wondering if someone has been working on and/or has a patch
> which implement's the use of Netfilter Marks for ipsec spd matching
> under the linux kernel 2.6. This would be similar to the NetBSD
> "tagged" option of 'setkey':
> 
> spdadd tagged "ssh" -P out esp/transport//require
> 
> But then something like:
> 
> ~     spdadd tagged 1 -P out esp/transport//require
> or  spdadd mark 1 -P out esp/transport//require

this may not be "good enough" for what you need--but why not just MARK
the ESP packets in mangle PREROUTING, for later filtering:

  iptables -t mangle -A PREROUTING -p 50 -s $VPN_PEER_1 \
    -j MARK --set-mark 1

  iptables -A [INPUT|FORWARD] -m mark --mark 1 [...] -j ACCEPT

also--have a look at the "policy" match in POM, as i *think* it will do
what you want.

and finally--please don't cross-post--it's poor form.

-j

--
"Let us all bask in television's warm glowing warming glow."
	--The Simpsons

Re: Does anybody work on supporting SPD matching Netfilter MARKS?

[Ludo Stellingwerff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank for you reaction Jason,
and sorry about the cross post, you're right, my mistake:(

The question I raised was not about the filtering side, but about the
policy match. What NetBSD is capable of is to use it's packetfilter
for deciding ipsec policies, by using a "tag".

In Linux terms this would mean that by using a firewall mark you could
use the netfilter matching structure instead of the SPD internal matches.

spdadd mark 1 -P out esp/transport//require

This would read: All packages marked with firewall mark 1 should be
encrypted and send on a transport mode ipsec connection.

Does anyone know some sort of implementation doing this?

Greetings,
Ludo.

Jason Opperisano wrote:

| On Wed, 2005-01-19 at 01:44, Ludo Stellingwerff wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
|>
|> Hi All,
|>
|> I was wondering if someone has been working on and/or has a patch
|>  which implement's the use of Netfilter Marks for ipsec spd
|> matching under the linux kernel 2.6. This would be similar to the
|>  NetBSD "tagged" option of 'setkey':
|>
|> spdadd tagged "ssh" -P out esp/transport//require
|>
|> But then something like:
|>
|> ~     spdadd tagged 1 -P out esp/transport//require or  spdadd
|> mark 1 -P out esp/transport//require
|
|
| this may not be "good enough" for what you need--but why not just
| MARK the ESP packets in mangle PREROUTING, for later filtering:
|
| iptables -t mangle -A PREROUTING -p 50 -s $VPN_PEER_1 \ -j MARK
| --set-mark 1
|
| iptables -A [INPUT|FORWARD] -m mark --mark 1 [...] -j ACCEPT
|
| also--have a look at the "policy" match in POM, as i *think* it
| will do what you want.
|
| and finally--please don't cross-post--it's poor form.
|
| -j
|
| -- "Let us all bask in television's warm glowing warming glow."
| --The Simpsons
|
|
|

- --
Ludo Stellingwerff

V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124

site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7q1zOF3sCpZ+AJgRAjtqAKCVQ1cmcsFauxen7GUGtint/K2atgCfY6T9
I+FYowE8/BgFYvvKMD/u7fA=
=cMnB
-----END PGP SIGNATURE-----

Re: Does anybody work on supporting SPD matching Netfilter MARKS?

[Jason Opperisano]

On Wed, Jan 19, 2005 at 07:56:52PM +0100, Ludo Stellingwerff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thank for you reaction Jason,
> and sorry about the cross post, you're right, my mistake:(
> 
> The question I raised was not about the filtering side, but about the
> policy match. What NetBSD is capable of is to use it's packetfilter
> for deciding ipsec policies, by using a "tag".
> 
> In Linux terms this would mean that by using a firewall mark you could
> use the netfilter matching structure instead of the SPD internal matches.
> 
> spdadd mark 1 -P out esp/transport//require
> 
> This would read: All packages marked with firewall mark 1 should be
> encrypted and send on a transport mode ipsec connection.
> 
> Does anyone know some sort of implementation doing this?

ah--i misunderstood what you were asking.  i think your question is
probably better suited to the ipsec-tools list, as all you need
netfilter to do is set the mark, which it can already do.

-j

--
"It takes two to lie. One to lie and one to listen."
        --The Simpsons

Re: Does anybody work on supporting SPD matching Netfilter MARKS?

[Lopsch]

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

Ludo Stellingwerff schrieb:
> Hi All,
>
> I was wondering if someone has been working on and/or has a patch
> which implement's the use of Netfilter Marks for ipsec spd matching
> under the linux kernel 2.6. This would be similar to the NetBSD
> "tagged" option of 'setkey':
>
> spdadd tagged "ssh" -P out esp/transport//require
>
> But then something like:
>
> ~     spdadd tagged 1 -P out esp/transport//require
> or  spdadd mark 1 -P out esp/transport//require
>
> Thank in advance,
> greetings,
>
> Ludo Stellingwerff.
>
> --
> Ludo Stellingwerff
>
> V&S B.V. The Netherlands
> ProTactive firewall solution.
> Tel: +31 172 416116
> Fax: +31 172 416124
>
> site: www.protactive.nl
> demo: http://www.protactive.nl:81/netview.html

Taken from the policy match from p-o-m: "This patch adds the policy
match to netfilter.

The policy match is used to match the IPsec policy
used for handling a packet."

Perhaps what you are looking for.


--

PGP-ID 0xF8EAF138

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 832 bytes --]