| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jun 2010 18:03:16 +0200 From: "Gerd v. Egidy" <lists@...dy.de> To: jamal <hadi@...erus.ca> Cc: timo.teras@....fi, kaber@...sh.net, herbert@...dor.apana.org.au, netdev@...r.kernel.org Subject: Question about xfrm by MARK feature Hi Jamal, while looking through the 2.6.34 changelog I found the xfrm by MARK feature you developed in february. I'm currently working on NAT for ipsec connections and thought your feature might help me. For example I have 2 different remote networks with the same ip network each and both of them have a tunnel to the same local network. I map their IPs to something different so I can distinguish them in the local network. But after the nat the xfrm code sees two tunnels with exactly the same values. So this can't work. But if I understood your feature correctly, I can now mark the packets (e.g. in iptables with ... -j MARK --set-mark 1) and have xfrm select the correct ipsec tunnel via the mark. Correct? But does your feature also set the mark on packets decrypted by xfrm? I need some way to find out from which tunnel the packet came to correctly treat it. Do you know if any of the ipsec solutions for linux (e.g. strongswan, openswan, racoon) already have support for this feature or are developing on it? Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jonas@...tusamerica.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists