[Swan] Usage of firewall marks by KLIPS/OpenSwan/Libreswan
paul at nohats.ca
Tue Feb 3 19:42:51 EET 2015
On Tue, 3 Feb 2015, Lawrence Manning wrote:
> We are currently (still) using openswan, but will shortly be migrating over to libreswan. I suspect this question is
> generic and relevant to both, so I'm sending it to this list.
> We make use of firewall marks quite extensively, more so as time has gone by, and now we have issues whereby KLIPS is
> asserting its own marks. This is proving to be a real problem, since marks are used for critical things like policy
> routing etc.
AFAIK, those marks only happen when you use protostack=mast
> 1. What functionality does the usage of these marks give KLIPS?
It allows pluto and KLIPS to track SA's by reference (see IKE output
refme and refhim) which allows overlapip=yes to distinguish multiple
overlapping IPsec SA's by using marking. This can be used to distinguish
multiple L2TP/IPsec transport mode SA's behind NAT using the same
pre-NAT IP but also allows you to build multple 10/8 tunnels to
different peers and still distinguish their packets and guide it into
the right tunnel.
> 2. If it is minor, is it possible to disable this functionality either at configure time or compile time?
AFAIK, that should already be the case? You could try compiling without
> 3. I notice that there is a kernel patch: (0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch) which appears to
> move the useage of marks to a dedicated field in the sockbuf. Is applying this patch to our kernel tree, enabling the new
> option and rebuilding swan/klips enough to stop KLIPS from using firewall marks?
I doubt it. There are two patches, saref-bind and saref-send, handling
using the SArefs (refhim/refme). One for incoming connections (and their
replies) and one for outgoing connections originating on the gateway.
For an example use of the latter, see contrib/sarefnc for a version of
ns enhanced with saref handling.
More information about the Swan