[Swan] Usage of firewall marks by KLIPS/OpenSwan/Libreswan

Paul Wouters paul at nohats.ca
Tue Feb 3 19:42:51 EET 2015


On Tue, 3 Feb 2015, Lawrence Manning wrote:

> We are currently (still) using openswan, but will shortly be migrating over to libreswan. I suspect this question is
> generic and relevant to both, so I'm sending it to this list.
> 
> We make use of firewall marks quite extensively, more so as time has gone by, and now we have issues whereby KLIPS is
> asserting its own marks. This is proving to be a real problem, since marks are used for critical things like policy
> routing etc.

AFAIK, those marks only happen when you use protostack=mast

> 1. What functionality does the usage of these marks give KLIPS?

It allows pluto and KLIPS to track SA's by reference (see IKE output
refme and refhim) which allows overlapip=yes to distinguish multiple
overlapping IPsec SA's by using marking. This can be used to distinguish
multiple L2TP/IPsec transport mode SA's behind NAT using the same
pre-NAT IP but also allows you to build multple 10/8 tunnels to
different peers and still distinguish their packets and guide it into
the right tunnel.

> 2. If it is minor, is it possible to disable this functionality either at configure time or compile time?

AFAIK, that should already be the case? You could try compiling without
USE_MAST=yes ?

> 3. I notice that there is a kernel patch: (0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch) which appears to
> move the useage of marks to a dedicated field in the sockbuf. Is applying this patch to our kernel tree, enabling the new
> option and rebuilding swan/klips enough to stop KLIPS from using firewall marks?

I doubt it. There are two patches, saref-bind and saref-send, handling
using the SArefs (refhim/refme). One for incoming connections (and their
replies) and one for outgoing connections originating on the gateway.
For an example use of the latter, see contrib/sarefnc for a version of
ns enhanced with saref handling.

Paul


More information about the Swan mailing list