<div dir="ltr">Thank you Paul, I'm wondering if this idea can be applied to NETKEY, I guess in this case pluto will need to be updated as well? so that adding new SA will include "mark", and then updown script can insert iptables rule in the mangle table to set connmark according to different SPI.<br><div><div class="gmail_extra"><br><div><div class="gmail_signature"><div dir="ltr"><div>Best regards,<br>Steve<br><div><br></div></div></div></div></div>
<br><div class="gmail_quote">2015-07-28 16:11 GMT+08:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 28 Jul 2015, Steve Leung wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have the same problem here. While doing some searches on Google, looks like strongswan has a "connmark"<br>
plugin (<a href="https://wiki.strongswan.org/projects/strongswan/wiki/Connmark" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/Connmark</a>) for this, they are using a similar<br>
idea as Paul suggested I think, but they are matching the spi instead. However in this way I think pluto<br>
will need to be updated as well so "ip xfrm" will xfrm packets by src/dst and the mark defined in iptables.<br>
<br>
Still studying.. any pointer is appreciated :)<br>
</blockquote>
<br></span>
We currently don't expose the SPI numbers to the updown scripts, although<br>
we do expose the reqid. SPIs is something we can add if people want to use<br>
it for connmark. It seems both spi and reqid are supposed with iptables:<br>
<br>
<a href="http://ipset.netfilter.org/iptables-extensions.man.html" rel="noreferrer" target="_blank">http://ipset.netfilter.org/iptables-extensions.man.html</a><br>
<br>
Apart from exposing the SPIs, we would not need to make any changes to<br>
pluto. This is why we use the updown scripts, to give people to freedom<br>
to do things on a per-sa basis. We could change the updown script to<br>
detect NAT+transport mode and automatically insert the right iptables<br>
rules when we see this happening. That would be my preference over a<br>
new keyword.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div></div>