Question about xfrm by MARK feature

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Gerd v. Egidy" <lists@egidy.de>
To: jamal <hadi@cyberus.ca>
Cc: timo.teras@iki.fi, kaber@trash.net, herbert@gondor.apana.org.au,
	netdev@vger.kernel.org
Subject: Question about xfrm by MARK feature
Date: Wed, 23 Jun 2010 18:03:16 +0200	[thread overview]
Message-ID: <201006231803.17261.lists@egidy.de> (raw)

Hi Jamal,

while looking through the 2.6.34 changelog I found the xfrm by MARK feature 
you developed in february. I'm currently working on NAT for ipsec connections 
and thought your feature might help me.

For example I have 2 different remote networks with the same ip network each 
and both of them have a tunnel to the same local network. I map their IPs to 
something different so I can distinguish them in the local network. But after 
the nat the xfrm code sees two tunnels with exactly the same values. So this 
can't work.

But if I understood your feature correctly, I can now mark the packets (e.g. 
in iptables with ... -j MARK --set-mark 1) and have xfrm select the correct 
ipsec tunnel via the mark. Correct?

But does your feature also set the mark on packets decrypted by xfrm? I need 
some way to find out from which tunnel the packet came to correctly treat it. 

Do you know if any of the ipsec solutions for linux (e.g. strongswan, 
openswan, racoon) already have support for this feature or are developing on 
it?

Kind regards,

Gerd

-- 
Address (better: trap) for people I really don't want to get mail from:
jonas@cactusamerica.com

next             reply	other threads:[~2010-06-23 16:09 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-23 16:03 Gerd v. Egidy [this message]
2010-06-23 16:15 ` Question about xfrm by MARK feature Patrick McHardy
2010-06-23 22:13   ` Gerd v. Egidy
2010-06-23 22:16     ` Herbert Xu
2010-06-24 12:04 ` jamal
2010-06-25  7:35   ` Gerd v. Egidy
2010-06-25 12:43     ` jamal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201006231803.17261.lists@egidy.de \
    --to=lists@egidy.de \
    --cc=hadi@cyberus.ca \
    --cc=herbert@gondor.apana.org.au \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=timo.teras@iki.fi \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).