[Swan] No ipsec0 device with XFRMi

Wolfgang Nothdurft wolfgang at linogate.de
Tue Aug 11 09:04:28 UTC 2020

Am 10.08.20 um 22:48 schrieb Antony Antony:
> Hi Wolfgang,
> Thanks for the testcase. Unfortunately, north has no second uplink/interface
> to reach east. So the test can't send the traffic yet. Now we can verify
> rules and verify "ip x s" mark/mask. Let me see if there is another way to
> test to able to send traffic with fwmark.  Add another rule or something,
> change http  to "nc" as a listener on east.

I didn't think it was necessary to test the http rule itself. So I set 
it to eth0 to block the ipsec xfrmi route and added the iptables and 
iproute command for documentation purposes.

> Tuomo, do you have any ideas to fix this test case? simulate two uplink or
> fwmark?
> I would the patch more generic, where you can configure output mark. Then
> the mark is independent of if_id, for advanced routing usecase this would be
> better. Could you test the attached patch?  I am not sure I got mark
> correct, 8 LSB?

Your patch works for me.


More information about the Swan mailing list