thr3ads.net - LARTC - conditional routing based on tos/fwmark not working with ipsec [Aug 2002]

If this information is useful, please help other people find it:
Share via:

Martin A. Brown

2002-Aug-15 21:18 UTC

conditional routing based on tos/fwmark not working with ipsec

Hello all,

I am working with kernel 2.2.20 with the necessary options configured into 
the kernel to support all of the wonderfully fancy routing features:

  - routing based on ToS
  - routing based on fwmark
  - multiple routing tables

This same kernel is in use elsewhere, and is routing based on fwmark with 
success.  This leads me to believe that my kernel is OK and that I have 
another problem.

 problem description
 - - - - - - - - - -
I have marked packets using ipchains, created another routing table, 
and populated that routing table with a single route.

# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -m 8 -j ACCEPT
# ip rule add from $OUTIF fwmark 8 lookup 8
# ip route add $CLIENT via $GW dev eth0 table 8
# ip route flush cache

When I inspect the counters on the chains, I notice that the chain I 
insert is actually in use (the counter does increment).  The problem is 
that the packet is still routed out the ipsec0 interface.

Operating on the false assumption that I was misunderstanding something, I 
tried a similar technique with ToS.  This failed as well.

# ipchains -I output 1 -p tcp -s $OUTIF $PORT -d $CLIENT -t 0x01 0x04 -j ACCEPT
# ip route add from $OUTIF tos 0x04 dev eth0
# ip route flush cache

In each case, I am able to see the packets leaving the ipsec0 interface.  
In the former case, I see the counters on the chain incrementing.  In the 
latter case, I see the tos bits set in the packet outbound on ipsec0.

 summary of questions
 - - - - - - - - - -
1.  Does anybody have any idea why packets which have been marked (fwmark) 
    would not be routed according to the RPDB?

2.  Am I marking packets on the wrong chain?
2.a Don''t locally generated packets only traverse the output chain?

3.  Any suggestions for how to separate the IPSec packets from
"plaintext"
    packets and route them according to these rules:

    - IPSec packet bound for internal network; via ipsec0
    - any other IP packet (ping, tcp, udp); via eth0

-Martin

 relevant kernel options settings
 - - - - - - - - - - - - - - - -
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_DIVERT=y
CONFIG_DIV_PT=y


-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com







_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Reasonably Related Threads

Search for more maybe matching threads

LARTC - Aug 2002 - conditional routing based on tos/fwmark not working with ipsec

conditional routing based on tos/fwmark not working with ipsec

Reasonably Related Threads

Wisdom of the Ancients