| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201010141501.59145.lists@egidy.de> Date: Thu, 14 Oct 2010 15:01:59 +0200 From: "Gerd v. Egidy" <lists@...dy.de> To: hadi@...erus.ca Cc: netdev@...r.kernel.org Subject: Re: xfrm by MARK: tcp problems when mark for in and out differ Hi Jamal, > > -> incoming packets are without mark, outgoing packets are marked with 5 > > You could use tc ingress path to mark incoming packets. Example: In my full setup I do exactly that. What I posted was a minimized setup to just show the problem. I have a complex set of netfilter rules and routing tables to allow several ways of doing NAT on ipsec. The rules need different marks on packets coming from / going to the vpn to correctly distinguish packets in the forwarding case. I did further testing, 2.6.36-rc7 has the problem too. > When the SYN-ACK hits __xfrm_lookup, the value in fl->mark is 0 > (more precisely: the mark value used in the incoming packet). this is wrong, the value in fl->mark is always 0. I must have confused some data in my debug printks. So it seems like the fl->mark is never initialized with the packet mark in the first place. What would be the correct stage in the kernel network stack to do that? Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jonas@...tusamerica.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists