Re: AW: How to mark packet by reqid?

[Jan Engelhardt <jengelh@xxxxxxx>]

On Wednesday 2012-05-16 08:34, Steffen Heil (Mailinglisten) wrote:
>
>> xt_esp generates debug output if you have "printk" sysctl set to show it.
>
>How would I do so? I never used sysctl for anything but enabling ip
>forwarding....

sysctl -w kernel.printk="7 7 7 7"

is probably one way.

>Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
>sate` and `setkey -D`.
>I noticed, 
>- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
>- `setkey -D` contains "spi=3243547107(0xc15499e3)".
>- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
>
>Is this to be expected?

It is not unusual to see `ip -s x p` showing spi 0.
About setkey I don't know, since openswan and I don't use that.
Better trust `ip x s`.
Also note that there may be a handful of SPIs live between peers,
not just a single one.

>Third, I tried you command:
>
># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: Gives: unknown option "--spi"

 --espspi per manpage.

># iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
>--set-mark 1
>iptables v1.4.12: policy match: neither --dir in nor --dir out specified

Your command does not match your output.


># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>out -j MARK --set-mark 1
>iptables: Invalid argument. Run `dmesg' for more information.

See dmesg. (Well, it told you that.)


># iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
>in -j MARK --set-mark 1
>
>That worked, however I still don't get the packets through.

Why don't you try --espspi 0xc4b51d18 for a change, since that is
(one value) from those obtained from ip x s.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html