[Swan] No ipsec0 device with XFRMi
Wolfgang Nothdurft
wolfgang at linogate.de
Tue Aug 11 09:04:28 UTC 2020
Am 10.08.20 um 22:48 schrieb Antony Antony:
> Hi Wolfgang,
> Thanks for the testcase. Unfortunately, north has no second uplink/interface
> to reach east. So the test can't send the traffic yet. Now we can verify
> rules and verify "ip x s" mark/mask. Let me see if there is another way to
> test to able to send traffic with fwmark. Add another rule or something,
> change http to "nc" as a listener on east.
I didn't think it was necessary to test the http rule itself. So I set
it to eth0 to block the ipsec xfrmi route and added the iptables and
iproute command for documentation purposes.
>
> Tuomo, do you have any ideas to fix this test case? simulate two uplink or
> fwmark?
>
> I would the patch more generic, where you can configure output mark. Then
> the mark is independent of if_id, for advanced routing usecase this would be
> better. Could you test the attached patch? I am not sure I got mark
> correct, 8 LSB?
>
Your patch works for me.
Wolfgang
More information about the Swan
mailing list