From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: [LARTC] conditional routing based on tos/fwmark not working with ipsec
Date: Thu, 15 Aug 2002 21:18:28 +0000 [thread overview]
Message-ID: <marc-lartc-102944638224313@msgid-missing> (raw)
Hello all,
I am working with kernel 2.2.20 with the necessary options configured into
the kernel to support all of the wonderfully fancy routing features:
- routing based on ToS
- routing based on fwmark
- multiple routing tables
This same kernel is in use elsewhere, and is routing based on fwmark with
success. This leads me to believe that my kernel is OK and that I have
another problem.
problem description
- - - - - - - - - -
I have marked packets using ipchains, created another routing table,
and populated that routing table with a single route.
# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -m 8 -j ACCEPT
# ip rule add from $OUTIF fwmark 8 lookup 8
# ip route add $CLIENT via $GW dev eth0 table 8
# ip route flush cache
When I inspect the counters on the chains, I notice that the chain I
insert is actually in use (the counter does increment). The problem is
that the packet is still routed out the ipsec0 interface.
Operating on the false assumption that I was misunderstanding something, I
tried a similar technique with ToS. This failed as well.
# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -t 0x01 0x04 -j ACCEPT
# ip route add from $OUTIF tos 0x04 dev eth0
# ip route flush cache
In each case, I am able to see the packets leaving the ipsec0 interface.
In the former case, I see the counters on the chain incrementing. In the
latter case, I see the tos bits set in the packet outbound on ipsec0.
summary of questions
- - - - - - - - - -
1. Does anybody have any idea why packets which have been marked (fwmark)
would not be routed according to the RPDB?
2. Am I marking packets on the wrong chain?
2.a Don't locally generated packets only traverse the output chain?
3. Any suggestions for how to separate the IPSec packets from "plaintext"
packets and route them according to these rules:
- IPSec packet bound for internal network; via ipsec0
- any other IP packet (ping, tcp, udp); via eth0
-Martin
relevant kernel options settings
- - - - - - - - - - - - - - - -
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_DIVERT=y
CONFIG_DIV_PT=y
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
reply other threads:[~2002-08-15 21:18 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102944638224313@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.