-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Tino" == Tino Keitel
<tino.keitel innominate.com> writes:
Tino> I noticed that with recent OpenS/WAN versions
the nfmark value
Tino> of a decrypted packet doesn't match the nfmark
value of the
Tino> encrypted packet anymore. In my tests, a value
of 0x12 became
Tino> 0x70012.
Yes, the packet is marked with the "saref" of
the SA, so that you can
filter it as to which SA was used to deliver the packet
properly.
Tino> skb-> nfmark is only written in 2 places in
ipsec_rcv.c, but never
Tino> skb-> read.
Tino> What would be the side effects of removing the
modifications
Tino> to nfmark in ipsec_rcv_cleanup() and
ipsec_rcv_decap_cont()?
You would have a customer version of openswan which you'd
have to maintain.
The newest iptables code has a "mask" option to
the nfmark processing.
We posted patches for older kernels last winter for older
kernels,
and similar ones were added during the iptables rewrite last
August,
which you'll see in 2.6.19.
- --
] Bear: "Me, I'm just the shape of a
bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON
|net architect[
] mcrxelerance.com http://www.san
delman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel
hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRdHfYICLcPvd0N1lAQI+Awf9HhOpL39okkj53i3pCoCnwT0KvwUK
cxHD
pfyWYSeWx1sn1iN4LBfuBG/agSyfi0Y/zBfXDlWRdDUTRbAb9mdb1AtpvG2B
79ZF
81MsqItufUaPDDygQwNRUelAOzDijmtM5bGqXiSxLRgcZFjH9Krgv69CRx5F
N2tu
xUblV21pfxk7R5hVmVRB7qACwDAWCCBO/97hmNs5ewKkhLJg8XQwyS+ATb4c
QeGn
dLFPzIy4U8DE1x0p8iIZctmIg074sbe8Oo8c035bBF/hlkiubrtI93tteihU
K72U
Q3ENNyfSZbPhHBlmYBEoPxbukEL4AoOerfHztSElofdGKyA8KDTPjw==
=IJ1C
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
|
