xfrm decode / SA matching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I have several SAs with the same networks and gateways on both sides but
different xmarks (1 vs 2) and those work correctly.

Therefor I need iptable rules like the following (in raw/PREROUTING):

-p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1
-p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 2

Then netfilter selects the correct SA.

However, as the esp packets contain the spi value, I also expected them to
work correctly if they have the same xmark (both 1):

-p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1
-p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 1

Yet, this does not work.
I get the feeling that the selection of the correct SA is not based on the
spi but on the ip and xmark only.

This this true?
If so, why? Isn't the SPI especially there for that reason?

Can this be archived somehow?

Best regards,

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux