Ipsec with mark encryption decision made before mangle output chain

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Bill Shirley <bshirley@apinetstore2.apirx.biz>
To: netdev@vger.kernel.org
Subject: Ipsec with mark encryption decision made before mangle output chain
Date: Wed, 04 Feb 2015 14:06:30 -0500	[thread overview]
Message-ID: <54D26DB6.6000404@apinetstore2.apirx.biz> (raw)

I'm setting up a pair of Ipsec tunnels (to the same destination) and using ip xfrm policy marks (no state marks).

The following doesn't work, the packet never gets incrypted:
ping 192,168.4.1

However, this works:
ping -m 80896 192.168.4.1

I have rules in my iptables -t mangle output to set the mark:
     0     0 RETURN     esp  --  *      * 0.0.0.0/0            0.0.0.0/0            mark match 0x13c00/0x3ff00 /* esp 
with a mark */
     0     0 RETURN     esp  --  *      * 0.0.0.0/0            0.0.0.0/0            mark match 0x12c00/0x3ff00 /* esp 
with a mark */
     4   336 CONNMARK  !esp  --  *      * 0.0.0.0/0            192.168.4.0/24       ctstate NEW /* -vpn- new outgoing */ 
CONNMARK xset 0x10700/0x3ff00
     4   336 MARK      !esp  --  *      * 0.0.0.0/0            0.0.0.0/0            connmark match 0x10700/0x3ff00 
match-set sfn_ctel_up dst /* -vpn- mark for encryption */ MARK xset 0x13c00/0x3ff00
     4   336 MARK      !esp  --  *      * 0.0.0.0/0            0.0.0.0/0            connmark match 0x10700/0x3ff00 
match-set sfn_pwrbd_up dst /* -vpn- mark for encryption */ MARK xset 0x12c00/0x3ff00
The numbers are from the ping without the mark.  As you can see, it does encrypt the packet (no esp matches).


Is it possible that the encryption mark is selected before the output chain?

Is this the right place to post for this type of problem?

Thanks,
Bill

                 reply	other threads:[~2015-02-04 19:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54D26DB6.6000404@apinetstore2.apirx.biz \
    --to=bshirley@apinetstore2.apirx.biz \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).