Am 10.08.20 um 22:48 schrieb Antony Antony:
Hi Wolfgang, Thanks for the testcase. Unfortunately, north has no second uplink/interface to reach east. So the test can't send the traffic yet. Now we can verify rules and verify "ip x s" mark/mask. Let me see if there is another way to test to able to send traffic with fwmark. Add another rule or something, change http to "nc" as a listener on east.
I didn't think it was necessary to test the http rule itself. So I set it to eth0 to block the ipsec xfrmi route and added the iptables and iproute command for documentation purposes.
Tuomo, do you have any ideas to fix this test case? simulate two uplink or fwmark? I would the patch more generic, where you can configure output mark. Then the mark is independent of if_id, for advanced routing usecase this would be better. Could you test the attached patch? I am not sure I got mark correct, 8 LSB?
Your patch works for me. Wolfgang _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
