lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Dec 2008 06:18:09 -0800 (PST) From: Joerg Pommnitz <pommnitz@...oo.com> To: netdev@...r.kernel.org Subject: Re: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target Hello, has anybody read this and could comment? -- Regards Joerg --- Joerg Pommnitz <pommnitz@...oo.com> schrieb am Fr, 19.12.2008: > Von: Joerg Pommnitz <pommnitz@...oo.com> > Betreff: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target > An: netdev@...r.kernel.org > Datum: Freitag, 19. Dezember 2008, 10:26 > Hello all, > the following script demonstrates a behaviour of IPv6 IPsec > that I would > consider to be a bug (tested with 2.6.23 and 2.6.27-9 from > Ubuntu Intrepid): > > ====================================================== > #!/bin/bash > ip addr add dev eth0 2001:1b10:1001:ff00::0001/64 > setkey -c << __EOF__ > spdflush; > flush; > > add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp > 0x00000005 -m tunnel -E rijndael-cbc > 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192; > spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64 > any -P out ipsec > esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require; > __EOF__ > > ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j > MARK --set-mark=1 > > ping6 2001:1b10:1001:ff00::2 > ====================================================== > > This script adds an IPsec policy that should encrypt > packets sent to > 2001:1b10:1001:ff00::2. This works fine as long as no MARK > value is > assigned to the packets. When one applies a MARK value > different from 0, > the policy doesn't match any more. In IPv4 the IPsec > policies are > unaffected by the MARK. > > So: Is this intended on the kernel side? If yes, how can I > write manual > policies that either ignore the MARK value or contain a > matching value? > > Thanks in advance and kind regards > Joerg -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists