On Tue, 3 Feb 2015, Lawrence Manning wrote:
We are currently (still) using openswan, but will shortly be migrating over to
libreswan. I suspect this question is
generic and relevant to both, so I'm sending it to this list.
We make use of firewall marks quite extensively, more so as time has gone by,
and now we have issues whereby KLIPS is
asserting its own marks. This is proving to be a real problem, since marks are
used for critical things like policy
routing etc.
AFAIK, those marks only happen when you use protostack=mast
1. What functionality does the usage of these marks give KLIPS?
It allows pluto and KLIPS to track SA's by reference (see IKE output
refme and refhim) which allows overlapip=yes to distinguish multiple
overlapping IPsec SA's by using marking. This can be used to distinguish
multiple L2TP/IPsec transport mode SA's behind NAT using the same
pre-NAT IP but also allows you to build multple 10/8 tunnels to
different peers and still distinguish their packets and guide it into
the right tunnel.
2. If it is minor, is it possible to disable this functionality either at
configure time or compile time?
AFAIK, that should already be the case? You could try compiling without
USE_MAST=yes ?
3. I notice that there is a kernel patch:
(0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch) which appears to
move the useage of marks to a dedicated field in the sockbuf. Is applying this
patch to our kernel tree, enabling the new
option and rebuilding swan/klips enough to stop KLIPS from using firewall marks?
I doubt it. There are two patches, saref-bind and saref-send, handling
using the SArefs (refhim/refme). One for incoming connections (and their
replies) and one for outgoing connections originating on the gateway.
For an example use of the latter, see contrib/sarefnc for a version of
ns enhanced with saref handling.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
