conditional routing based on tos/fwmark not working with ipsec

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

I am working with kernel 2.2.20 with the necessary options configured into 
the kernel to support all of the wonderfully fancy routing features:

  - routing based on ToS
  - routing based on fwmark
  - multiple routing tables

This same kernel is in use elsewhere, and is routing based on fwmark with 
success.  This leads me to believe that my kernel is OK and that I have 
another problem.

 problem description
 - - - - - - - - - -
I have marked packets using ipchains, created another routing table, 
and populated that routing table with a single route.

# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -m 8 -j ACCEPT
# ip rule add from $OUTIF fwmark 8 lookup 8
# ip route add $CLIENT via $GW dev eth0 table 8
# ip route flush cache

When I inspect the counters on the chains, I notice that the chain I 
insert is actually in use (the counter does increment).  The problem is 
that the packet is still routed out the ipsec0 interface.

Operating on the false assumption that I was misunderstanding something, I 
tried a similar technique with ToS.  This failed as well.

# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -t 0x01 0x04 -j ACCEPT
# ip route add from $OUTIF tos 0x04 dev eth0
# ip route flush cache

In each case, I am able to see the packets leaving the ipsec0 interface.  
In the former case, I see the counters on the chain incrementing.  In the 
latter case, I see the tos bits set in the packet outbound on ipsec0.

 summary of questions
 - - - - - - - - - -
1.  Does anybody have any idea why packets which have been marked (fwmark) 
    would not be routed according to the RPDB?

2.  Am I marking packets on the wrong chain?
2.a Don't locally generated packets only traverse the output chain?

3.  Any suggestions for how to separate the IPSec packets from "plaintext"
    packets and route them according to these rules:

    - IPSec packet bound for internal network; via ipsec0
    - any other IP packet (ping, tcp, udp); via eth0

-Martin

 relevant kernel options settings
 - - - - - - - - - - - - - - - -
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_DIVERT=y
CONFIG_DIV_PT=y


-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com







_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux