Am 30.07.20 um 07:57 schrieb Antony Antony:
Can you can help create a testcase with fwmark and xfrmi? you are using marks with KLIPS? so it is not really configured in ipsec.conf? I wonder how that would translate one-to-one.
Attached you can find an simplified testcase that corresponds approximately to what we do.
In this case marking http traffic, to route it on an other interface. iptables -t mangle -I OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1 ip ru add prio 1 fwmark 0x1 table 1 ip r add default dev eth0 table 1 This case passes with my example patch when mapping the fwmark to 0x1000000. Wolfgang
commit c5468a72eea2316bf246ba521f17e5f833db9395
Author: Wolfgang <build@localhost.localdomain>
Date: Mon Aug 10 04:29:15 2020 -0400
* prototype testcase for conflicting fwmark with xfrmi
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/description.txt b/testing/pluto/ikev2-xfrmi-14-fwmark/description.txt
new file mode 100644
index 0000000000..d68af1b1ca
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/description.txt
@@ -0,0 +1 @@
+The default XFRMi FWMARK conflicts with a policy based route.
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/east.console.txt b/testing/pluto/ikev2-xfrmi-14-fwmark/east.console.txt
new file mode 100644
index 0000000000..89ec07aef6
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/east.console.txt
@@ -0,0 +1,20 @@
+/testing/guestbin/swan-prep
+east #
+ ipsec start
+Redirecting to: [initsystem]
+east #
+ /testing/pluto/bin/wait-until-pluto-started
+east #
+ ipsec auto --add northnet-eastnet
+002 added IKEv2 connection "northnet-eastnet"
+east #
+ echo "initdone"
+initdone
+east #
+ ipsec whack --trafficstatus
+006 #2: "northnet-eastnet", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@north'
+east #
+ ../bin/check-for-core.sh
+east #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/east.secrets b/testing/pluto/ikev2-xfrmi-14-fwmark/east.secrets
new file mode 100644
index 0000000000..7b53b85edb
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/east.secrets
@@ -0,0 +1 @@
+@east @north : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/eastinit.sh b/testing/pluto/ikev2-xfrmi-14-fwmark/eastinit.sh
new file mode 100755
index 0000000000..6dc310df8f
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/eastinit.sh
@@ -0,0 +1,5 @@
+/testing/guestbin/swan-prep
+ipsec start
+/testing/pluto/bin/wait-until-pluto-started
+ipsec auto --add northnet-eastnet
+echo "initdone"
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/final.sh b/testing/pluto/ikev2-xfrmi-14-fwmark/final.sh
new file mode 100755
index 0000000000..35dd99a15b
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/final.sh
@@ -0,0 +1,7 @@
+ipsec whack --trafficstatus
+: ==== cut ====
+ipsec auto --status
+: ==== tuc ====
+../bin/check-for-core.sh
+if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+: ==== end ====
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/ipsec.conf b/testing/pluto/ikev2-xfrmi-14-fwmark/ipsec.conf
new file mode 100644
index 0000000000..67cd088c14
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+version 2.0
+
+config setup
+ logfile=/tmp/pluto.log
+ logtime=no
+ logappend=no
+ plutodebug="all"
+ protostack=netkey
+ dumpdir=/tmp
+
+conn %default
+ authby=secret
+ ikev2=insist
+
+conn base
+ rightid=@east
+ leftid=@north
+ left=192.1.3.33
+ right=192.1.2.23
+ leftsubnet=192.0.3.0/24
+
+conn northnet-eastnet
+ also=base
+ ipsec-interface=no
+
+conn north
+ also=base
+ priority=3
+ ipsec-interface=yes
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/nic.console.txt b/testing/pluto/ikev2-xfrmi-14-fwmark/nic.console.txt
new file mode 100644
index 0000000000..fcd5477274
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/nic.console.txt
@@ -0,0 +1,7 @@
+iptables -t nat -F
+nic #
+ iptables -F
+nic #
+ echo "initdone"
+initdone
+
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/nicinit.sh b/testing/pluto/ikev2-xfrmi-14-fwmark/nicinit.sh
new file mode 100755
index 0000000000..d48b3f9ad5
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/nicinit.sh
@@ -0,0 +1,4 @@
+iptables -t nat -F
+iptables -F
+echo "initdone"
+: ==== end ====
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/north.console.txt b/testing/pluto/ikev2-xfrmi-14-fwmark/north.console.txt
new file mode 100644
index 0000000000..ecade8b2c4
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/north.console.txt
@@ -0,0 +1,93 @@
+/testing/guestbin/swan-prep
+north #
+ iptables -t mangle -I OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1
+north #
+ ip ru add prio 1 fwmark 0x1 table 1
+north #
+ ip r add default dev eth0 table 1
+north #
+ # this route from /etc/sysconfig/network-scripts/route-eth1 interfears
+north #
+ ip route get to 192.0.2.254 | grep eth1 && ip route del 192.0.2.0/24 via 192.1.3.254 dev eth1
+192.0.2.254 via 192.1.3.254 dev eth1 src 192.1.3.33 uid 0
+RTNETLINK answers: No such process
+north #
+ # ip link show ipsec1 2>/dev/null && ip link del ipsec1
+north #
+ echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
+north #
+ ipsec start
+Redirecting to: [initsystem]
+north #
+ /testing/pluto/bin/wait-until-pluto-started
+north #
+ ipsec auto --add north
+002 added IKEv2 connection "north"
+north #
+ echo "initdone"
+initdone
+north #
+ ipsec auto --up north
+1v2 "north" #1: initiating IKEv2 connection
+1v2 "north" #1: sent IKE_SA_INIT request
+1v2 "north" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
+002 "north" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
+003 "north" #1: authenticated using authby=secret
+002 "north" #2: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
+004 "north" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+north #
+ # comments bellow are to understand/explore the basics : what is going on
+north #
+ # ip link add ipsec1 type xfrm xfrmi-id 1 dev eth0
+north #
+ # ip link set ipsec1 up
+north #
+ # ip route add 192.0.2.0/24 dev ipsec1 src 192.0.3.254
+north #
+ # tcpdump -s 0 -n -w /tmp/ipsec1.pcap -i ipsec1 & echo $! > /tmp/tcpdump.pid
+north #
+ sleep 2
+north #
+ ping -w 4 -c 4 192.1.2.23
+PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
+64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.XXX ms
+64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms
+64 bytes from 192.1.2.23: icmp_seq=3 ttl=64 time=0.XXX ms
+64 bytes from 192.1.2.23: icmp_seq=4 ttl=64 time=0.XXX ms
+--- 192.1.2.23 ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time XXXX
+rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
+north #
+ ip -s link show ipsec1
+X: ipsec1@eth1: <NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN
+ RX: bytes packets errors dropped overrun mcast
+ 336 4 0 0 0 0
+ TX: bytes packets errors dropped carrier collsns
+ 336 4 0 0 0 0
+north #
+ #kill -9 $(cat /tmp/tcpdump.pid)
+north #
+ sleep 2
+north #
+ #cp /tmp/ipsec1.pcap OUTPUT/
+north #
+ ip rule show
+0: from all lookup local
+1: from all fwmark 0x1 lookup 1
+100: from all to 192.1.2.23 fwmark 0x1000000 lookup 50
+32766: from all lookup main
+32767: from all lookup default
+north #
+ ip route show table 50
+192.1.2.23 dev eth1 scope link
+north #
+ echo done
+done
+north #
+ ipsec whack --trafficstatus
+006 #2: "north", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
+north #
+ ../bin/check-for-core.sh
+north #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/north.secrets b/testing/pluto/ikev2-xfrmi-14-fwmark/north.secrets
new file mode 100644
index 0000000000..7b53b85edb
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/north.secrets
@@ -0,0 +1 @@
+@east @north : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/northinit.sh b/testing/pluto/ikev2-xfrmi-14-fwmark/northinit.sh
new file mode 100755
index 0000000000..96c6dd3592
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/northinit.sh
@@ -0,0 +1,12 @@
+/testing/guestbin/swan-prep
+iptables -t mangle -I OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1
+ip ru add prio 1 fwmark 0x1 table 1
+ip r add default dev eth0 table 1
+# this route from /etc/sysconfig/network-scripts/route-eth1 interfears
+ip route get to 192.0.2.254 | grep eth1 && ip route del 192.0.2.0/24 via 192.1.3.254 dev eth1
+# ip link show ipsec1 2>/dev/null && ip link del ipsec1
+echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
+ipsec start
+/testing/pluto/bin/wait-until-pluto-started
+ipsec auto --add north
+echo "initdone"
diff --git a/testing/pluto/ikev2-xfrmi-14-fwmark/northrun.sh b/testing/pluto/ikev2-xfrmi-14-fwmark/northrun.sh
new file mode 100755
index 0000000000..caa3888ebb
--- /dev/null
+++ b/testing/pluto/ikev2-xfrmi-14-fwmark/northrun.sh
@@ -0,0 +1,15 @@
+ipsec auto --up north
+# comments bellow are to understand/explore the basics : what is going on
+# ip link add ipsec1 type xfrm xfrmi-id 1 dev eth0
+# ip link set ipsec1 up
+# ip route add 192.0.2.0/24 dev ipsec1 src 192.0.3.254
+# tcpdump -s 0 -n -w /tmp/ipsec1.pcap -i ipsec1 & echo $! > /tmp/tcpdump.pid
+sleep 2
+ping -w 4 -c 4 192.1.2.23
+ip -s link show ipsec1
+#kill -9 $(cat /tmp/tcpdump.pid)
+sleep 2
+#cp /tmp/ipsec1.pcap OUTPUT/
+ip rule show
+ip route show table 50
+echo done
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
