| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201006240013.58261.lists@egidy.de> Date: Thu, 24 Jun 2010 00:13:57 +0200 From: "Gerd v. Egidy" <lists@...dy.de> To: Patrick McHardy <kaber@...sh.net> Cc: jamal <hadi@...erus.ca>, timo.teras@....fi, herbert@...dor.apana.org.au, netdev@...r.kernel.org Subject: Re: Question about xfrm by MARK feature > > But does your feature also set the mark on packets decrypted by xfrm? I > > need some way to find out from which tunnel the packet came to correctly > > treat it. > > You should be able to use the policy match to distinguish the tunnels, > f.i. by matching on the tunnel endpoints. That would work for endpoints with fixed ips. But as soon as the endpoint has a dynamic ip, I'd have to change the iptables depending on the vpns currently connected. This is something I want to avoid in any case. Reason is that I'd have to introduce some kind of locking around the calls to iptables. Otherwise two connections established or disconnected nearly simultaneously could result in loss of the rules for one of them. Kind regards, Gerd -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists