* Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
@ 2008-12-19 9:26 Joerg Pommnitz
0 siblings, 0 replies; 2+ messages in thread
From: Joerg Pommnitz @ 2008-12-19 9:26 UTC (permalink / raw)
To: netdev
Hello all,
the following script demonstrates a behaviour of IPv6 IPsec that I would
consider to be a bug (tested with 2.6.23 and 2.6.27-9 from Ubuntu Intrepid):
======================================================
#!/bin/bash
ip addr add dev eth0 2001:1b10:1001:ff00::0001/64 setkey -c << __EOF__
spdflush;
flush;
add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp 0x00000005 -m tunnel -E rijndael-cbc 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192;
spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64 any -P out ipsec esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require;
__EOF__
ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j MARK --set-mark=1
ping6 2001:1b10:1001:ff00::2
======================================================
This script adds an IPsec policy that should encrypt packets sent to
2001:1b10:1001:ff00::2. This works fine as long as no MARK value is
assigned to the packets. When one applies a MARK value different from 0,
the policy doesn't match any more. In IPv4 the IPsec policies are
unaffected by the MARK.
So: Is this intended on the kernel side? If yes, how can I write manual
policies that either ignore the MARK value or contain a matching value?
Thanks in advance and kind regards
Joerg
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
@ 2008-12-23 14:18 Joerg Pommnitz
0 siblings, 0 replies; 2+ messages in thread
From: Joerg Pommnitz @ 2008-12-23 14:18 UTC (permalink / raw)
To: netdev
Hello,
has anybody read this and could comment?
--
Regards
Joerg
--- Joerg Pommnitz <pommnitz@yahoo.com> schrieb am Fr, 19.12.2008:
> Von: Joerg Pommnitz <pommnitz@yahoo.com>
> Betreff: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
> An: netdev@vger.kernel.org
> Datum: Freitag, 19. Dezember 2008, 10:26
> Hello all,
> the following script demonstrates a behaviour of IPv6 IPsec
> that I would
> consider to be a bug (tested with 2.6.23 and 2.6.27-9 from
> Ubuntu Intrepid):
>
> ======================================================
> #!/bin/bash
> ip addr add dev eth0 2001:1b10:1001:ff00::0001/64
> setkey -c << __EOF__
> spdflush;
> flush;
>
> add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp
> 0x00000005 -m tunnel -E rijndael-cbc
> 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192;
> spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64
> any -P out ipsec
> esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require;
> __EOF__
>
> ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j
> MARK --set-mark=1
>
> ping6 2001:1b10:1001:ff00::2
> ======================================================
>
> This script adds an IPsec policy that should encrypt
> packets sent to
> 2001:1b10:1001:ff00::2. This works fine as long as no MARK
> value is
> assigned to the packets. When one applies a MARK value
> different from 0,
> the policy doesn't match any more. In IPv4 the IPsec
> policies are
> unaffected by the MARK.
>
> So: Is this intended on the kernel side? If yes, how can I
> write manual
> policies that either ignore the MARK value or contain a
> matching value?
>
> Thanks in advance and kind regards
> Joerg
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-12-23 14:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-23 14:18 Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target Joerg Pommnitz
-- strict thread matches above, loose matches on Subject: below --
2008-12-19 9:26 Joerg Pommnitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).