-----BEGIN PGP SIGNED MESSAGE-----
The FreeSWAN KLIPS code has an explicit exception for packets originating
from the localhost that are bound to UDP port 500. This is the ISAKMP port
which is needed for keying the tunnels.
On 2.2(.20), (but not 2.4) when a process has a SOCK_PACKET open to see outgoing
traffic, the skb->sk pointer is not copied by whatever code copies and/or
clones the skb.
** I am having difficulty finding that code, btw. Pointers welcome. **
We prefer to check skb->sk to implement our exception, since this guarantees
the packet is from the local stack, and it gets around problems of packet
fragmentation that would otherwise prevent us from seeing the port numbers.
A user has noticed that he is unable to key his tunnels properly when running
iptraf, which is how we noticed this. We already knew that tcpdump'ing
oneself was usually a bad idea on 2.0 and 2.2, but never was quite clear why.
We suspect that there is no solution to this if it is in fact a limitation of
2.2's skb_copy. (We might be able to offer a patch for a potential 2.2.21).
** can someone confirm that this is in fact the case? **
As we want to move toward using advanced routing to do this kind of thing, I
tried to build an exception using ipchains and advanced routing. I did not
succeed, and am not clear how to debug. I'm joining the LARTC list and
reviewing the archives.
Since Advance routing does not have selectors for ports, I used ipchains to
set the fwmark and selected based upon that.
elros:~# grep IKE /etc/iproute2/rt_tables
50 IKE
elros:~# ip rule ls
0: from all lookup local
32764: from all fwmark 32 lookup IKE
32766: from all lookup main
32767: from all lookup default
elros:~# ipchains -I forward 1 -i ipsec0 --proto udp --src 192.139.46.5/32 500
--dst 192.139.46.7/32 500 --mark 32 -j ACCEPT
elros:~# ipchains -I output 1 --proto udp --src 192.139.46.5/32 500 --dst
192.139.46.7/32 500 --mark 32 -j ACCEPT
elros:~# ip route show
192.139.46.7 via 192.139.46.1 dev ipsec0
192.139.46.56/29 dev eth1 proto kernel scope link src 192.139.46.57
192.139.46.0/28 dev eth0 proto kernel scope link src 192.139.46.5
192.139.46.0/28 dev ipsec0 proto kernel scope link src 192.139.46.5
default via 192.139.46.1 dev eth0
elros:~# ip route show table IKE
192.139.46.7 via 192.139.46.1 dev eth0
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPIvHUIqHRg3pndX9AQHuJwP/YprWymrxR/qEcn8fOdiNEIwkJ8mQ6mbn
PF3Gcsr/eBmNkISNRyXqZ/d/0a/SBPYRqTq2v2IXJ5uvCuUEd2aLEKUTwozA1Gl6
vOLqdry4dT9/7Kx6rvSQ3kV9KZi/zNICu4ofA7/XaNY5zMZGYrj4wpjSEq3xY6JR
shNQZ8ajWzM=
=N7uT
-----END PGP SIGNATURE-----
|