Fwd: Can Netfilter "mark" be used with setkey spdadd?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Fwd: Can Netfilter "mark" be used with setkey spdadd?
@ 2010-06-16 16:21 Ajay Lele
  2010-06-16 18:21 ` Jan Engelhardt
  0 siblings, 1 reply; 5+ messages in thread
From: Ajay Lele @ 2010-06-16 16:21 UTC (permalink / raw)
  To: netfilter

Had posted this question to ipsec-tools mailing lists but no reply..
so sending on Netfilter list in case someone has a clue. Thx

-------

Hi,

I am working on a VPN solution where packets entering Linux box are
manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
manipulation is such that packets destined for different sites end up
getting the same src/dst IP address when they reach the Netfilter
POSTROUTING chain. However a different "mark" is set using the
IPTables mark target by which packets destined for different sites can
be distinguished from one another. Is there a way I can use this mark
value while creating security policy using setkey spdadd so that
packets are sent over respective tunnels (tunnels are created
manually)

Thanks in advance

Regards
Ajay

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
  2010-06-16 16:21 Fwd: Can Netfilter "mark" be used with setkey spdadd? Ajay Lele
@ 2010-06-16 18:21 ` Jan Engelhardt
  2010-06-17  1:24   ` Ajay Lele
  0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-06-16 18:21 UTC (permalink / raw)
  To: Ajay Lele; +Cc: netfilter

On Wednesday 2010-06-16 18:21, Ajay Lele wrote:
>
>I am working on a VPN solution where packets entering Linux box are
>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>manipulation is such that packets destined for different sites end up
>getting the same src/dst IP address when they reach the Netfilter
>POSTROUTING chain. However a different "mark" is set using the
>IPTables mark target by which packets destined for different sites can
>be distinguished from one another. Is there a way I can use this mark
>value while creating security policy using setkey spdadd so that
>packets are sent over respective tunnels (tunnels are created
>manually)

A packet can be marked when it enters the machine and retains the 
mark as long as it exists, even across transformation.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
  2010-06-16 18:21 ` Jan Engelhardt
@ 2010-06-17  1:24   ` Ajay Lele
  2010-06-17  7:36     ` Jan Engelhardt
  0 siblings, 1 reply; 5+ messages in thread
From: Ajay Lele @ 2010-06-17  1:24 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter

On Wed, Jun 16, 2010 at 11:21 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Wednesday 2010-06-16 18:21, Ajay Lele wrote:
>>
>>I am working on a VPN solution where packets entering Linux box are
>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>manipulation is such that packets destined for different sites end up
>>getting the same src/dst IP address when they reach the Netfilter
>>POSTROUTING chain. However a different "mark" is set using the
>>IPTables mark target by which packets destined for different sites can
>>be distinguished from one another. Is there a way I can use this mark
>>value while creating security policy using setkey spdadd so that
>>packets are sent over respective tunnels (tunnels are created
>>manually)
>
> A packet can be marked when it enters the machine and retains the
> mark as long as it exists, even across transformation.

Thanks for the info, Jan. What I am specifically looking for is
whether Netfilter "mark" value on the outgoing packet can be used to
influence which tunnel the packet is forwarded on. I know it is more a
question for ipsec-tools folks but trying my luck here as nobody
replied on their mailing list

>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
  2010-06-17  1:24   ` Ajay Lele
@ 2010-06-17  7:36     ` Jan Engelhardt
  2010-06-17  7:47       ` Patrick McHardy
  0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-06-17  7:36 UTC (permalink / raw)
  To: Ajay Lele; +Cc: netfilter


On Thursday 2010-06-17 03:24, Ajay Lele wrote:
>>>
>>>I am working on a VPN solution where packets entering Linux box are
>>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>>manipulation is such that packets destined for different sites end up
>>>getting the same src/dst IP address when they reach the Netfilter
>>>POSTROUTING chain. However a different "mark" is set using the
>>>IPTables mark target by which packets destined for different sites can
>>>be distinguished from one another. Is there a way I can use this mark
>>>value while creating security policy using setkey spdadd so that
>>>packets are sent over respective tunnels (tunnels are created
>>>manually)
>>
>> A packet can be marked when it enters the machine and retains the
>> mark as long as it exists, even across transformation.
>
>Thanks for the info, Jan. What I am specifically looking for is
>whether Netfilter "mark" value on the outgoing packet can be used to
>influence which tunnel the packet is forwarded on. I know it is more a
>question for ipsec-tools folks but trying my luck here as nobody
>replied on their mailing list

Sounds like you found a missing feature. I certainly did not find
any mention of mark or realm in `ip xfrm policy help`.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?
  2010-06-17  7:36     ` Jan Engelhardt
@ 2010-06-17  7:47       ` Patrick McHardy
  0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2010-06-17  7:47 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Ajay Lele, netfilter

Jan Engelhardt wrote:
> On Thursday 2010-06-17 03:24, Ajay Lele wrote:
>   
>>>> I am working on a VPN solution where packets entering Linux box are
>>>> manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>>> manipulation is such that packets destined for different sites end up
>>>> getting the same src/dst IP address when they reach the Netfilter
>>>> POSTROUTING chain. However a different "mark" is set using the
>>>> IPTables mark target by which packets destined for different sites can
>>>> be distinguished from one another. Is there a way I can use this mark
>>>> value while creating security policy using setkey spdadd so that
>>>> packets are sent over respective tunnels (tunnels are created
>>>> manually)
>>>>         
>>> A packet can be marked when it enters the machine and retains the
>>> mark as long as it exists, even across transformation.
>>>       
>> Thanks for the info, Jan. What I am specifically looking for is
>> whether Netfilter "mark" value on the outgoing packet can be used to
>> influence which tunnel the packet is forwarded on. I know it is more a
>> question for ipsec-tools folks but trying my luck here as nobody
>> replied on their mailing list
>>     
>
> Sounds like you found a missing feature. I certainly did not find
> any mention of mark or realm in `ip xfrm policy help`.

Its supported since .34:

commit fb977e2ca607a7e74946a1de798f474d1b80b9d6
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date:   Tue Feb 23 15:09:53 2010 -0800

    xfrm: clone mark when cloning policy
   
    When we clone the SP, we should also clone the mark.
    Useful for socket based SPs.
   
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 295fae568885a93c39a0e29a9455054608b6cc0e
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date:   Mon Feb 22 11:33:00 2010 +0000

    xfrm: Allow user space manipulation of SPD mark
   
    Add ability for netlink userspace to manipulate the SPD
    and manipulate the mark, retrieve it and get events with a defined
    mark, etc.
   
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 6f26b61e177e57a41795355f6222cf817f1212dc
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date:   Mon Feb 22 11:32:59 2010 +0000

    xfrm: Allow user space config of SAD mark
   
    Add ability for netlink userspace to manipulate the SAD
    and manipulate the mark, retrieve it and get events with a defined
    mark.
    MIGRATE may be added later.
   
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 34f8d8846f69f3b5bc3916ba9145e4eebae9394e
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date:   Mon Feb 22 11:32:58 2010 +0000

    xfrm: SP lookups with mark
   
    Allow mark to be used when doing SP lookup
   
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ca2e93b557f2a0b35f7769038abf600177e1122
Author: Jamal Hadi Salim <hadi@cyberus.ca>
Date:   Mon Feb 22 11:32:57 2010 +0000

    xfrm: SP lookups signature with mark
   
    pass mark to all SP lookups to prepare them for when we add code
    to have them search.
   
    Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-06-17  7:47 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-16 16:21 Fwd: Can Netfilter "mark" be used with setkey spdadd? Ajay Lele
2010-06-16 18:21 ` Jan Engelhardt
2010-06-17  1:24   ` Ajay Lele
2010-06-17  7:36     ` Jan Engelhardt
2010-06-17  7:47       ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).