<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>you will find hereafter my patch that has not been done really
smartly.</p>
<p>I'm not sure i have understood all i did (probably not).</p>
<p>But once done i still got packet with no mark. And i'm not able
to have 2 tincd process working concurently with the same port but
different addresses. Did i miss something?</p>
<p>You will find hereafter some outputs of ps, netstat and iptables
logs.<br>
</p>
<p> ps -ef | grep tincd<br>
root 14131 1 0 16:41 ? 00:00:00 tincd -n
tnid-00000002 -m 4096 --logfile=/var/log/tinc/tnid-00000002.log<br>
root 14898 1 0 19:28 ? 00:00:00 tincd -n
tnid-00000001 -m 8192 --logfile=/var/log/tinc/tnid-00000001.log<br>
<br>
</p>
<p>netstat -anp | grep 655<br>
tcp 0 0 192.168.42.111:655
0.0.0.0:* LISTEN 14898/tincd<br>
tcp 0 0 192.168.42.110:655
0.0.0.0:* LISTEN 14131/tincd<br>
tcp 0 0 192.168.42.110:39626
192.168.42.172:655 ESTABLISHED 14131/tincd<br>
tcp 0 0 192.168.42.110:54492
192.168.42.175:655 ESTABLISHED 14898/tincd<br>
udp 0 0 192.168.42.111:655
0.0.0.0:* 14898/tincd<br>
udp 0 0 192.168.42.110:655
0.0.0.0:* 14131/tincd</p>
<p>the expected trace for the 4th tcp connexion is:</p>
<p>tcp 0 0 192.168.42.111:54492
192.168.42.175:655 ESTABLISHED 14898/tincd because it is
linked to 14898 tincd process marked with 8192 mark</p>
<p> cat /var/log/iptables.log | grep TCP | grep 54492<br>
</p>
<p>Oct 10 20:44:39 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=54 TOS=0x10 PREC=0x00
TTL=64 ID=48981 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK PSH URGP=0<br>
Oct 10 20:44:39 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=52 TOS=0x10 PREC=0x00
TTL=64 ID=48982 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK URGP=0<br>
Oct 10 20:44:40 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=52 TOS=0x10 PREC=0x00
TTL=64 ID=48983 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK URGP=0<br>
Oct 10 20:44:40 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=54 TOS=0x10 PREC=0x00
TTL=64 ID=48984 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK PSH URGP=0<br>
Oct 10 20:45:10 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=52 TOS=0x10 PREC=0x00
TTL=64 ID=48985 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK URGP=0<br>
Oct 10 20:45:39 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=54 TOS=0x10 PREC=0x00
TTL=64 ID=48986 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK PSH URGP=0<br>
Oct 10 20:45:39 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=52 TOS=0x10 PREC=0x00
TTL=64 ID=48987 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK URGP=0<br>
Oct 10 20:45:40 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=52 TOS=0x10 PREC=0x00
TTL=64 ID=48988 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK URGP=0<br>
Oct 10 20:45:40 localhost kernel: output dport: IN= OUT=eth0
SRC=192.168.42.110 DST=192.168.42.175 LEN=54 TOS=0x10 PREC=0x00
TTL=64 ID=48989 DF PROTO=TCP SPT=54492 DPT=655 WINDOW=310 RES=0x00
ACK PSH URGP=0<br>
</p>
<p>Packet are not marked why?</p>
<p>All outgoing packet marked with m=8192 are using 192.168.42.111
as source address as shown there</p>
<p> cat /var/log/iptables.log | grep 192.168.42.111<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.175 DST=192.168.42.111 LEN=516 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=496 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.175 DST=192.168.42.111 LEN=516 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=496 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.175 DST=192.168.42.111 LEN=220 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=200 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.175 DST=192.168.42.111 LEN=220 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=200 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.111 DST=192.168.42.175 LEN=524 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=504 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.111 DST=192.168.42.175 LEN=524 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=504 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.111 DST=192.168.42.175 LEN=411 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=391 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.111 DST=192.168.42.175 LEN=411 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=391 MARK=0x2000<br>
Oct 10 20:44:32 localhost kernel: tincd: IN= OUT=eth0
SRC=192.168.42.111 DST=192.168.42.175 LEN=517 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=UDP SPT=655 DPT=655 LEN=497 MARK=0x2000<br>
</p>
<p><br>
</p>
<p>Thank you guys for you help!!!!</p>
<p><br>
</p>
<p>Olivier<br>
</p>
<p><br>
</p>
<p>tinc-1.0.28 </p>
<p>diff -ur tinc-1.0.28-orig/src/conf.h tinc-1.0.28/src/conf.h<br>
--- tinc-1.0.28-orig/src/conf.h 2014-08-27 10:40:51.000000000
+0200<br>
+++ tinc-1.0.28/src/conf.h 2016-10-10 18:36:21.401842379 +0200<br>
@@ -39,6 +39,7 @@<br>
extern int pingtimeout;<br>
extern int maxtimeout;<br>
extern int mintimeout;<br>
+extern int mark;<br>
extern bool bypass_security;<br>
extern char *confbase;<br>
extern char *netname;<br>
Seulement dans tinc-1.0.28/src: Makefile<br>
diff -ur tinc-1.0.28-orig/src/net_socket.c
tinc-1.0.28/src/net_socket.c<br>
--- tinc-1.0.28-orig/src/net_socket.c 2016-04-09
15:16:47.000000000 +0200<br>
+++ tinc-1.0.28/src/net_socket.c 2016-10-10 18:41:01.081238670
+0200<br>
@@ -69,25 +69,40 @@<br>
logger(LOG_ERR, "ioctlsocket for %s: %s", c->hostname,
sockstrerror(sockerrno));<br>
}<br>
#endif<br>
-<br>
+ <br>
+ int one = 1;<br>
+ int val = mark;<br>
+ <br>
#if defined(SOL_TCP) && defined(TCP_NODELAY)<br>
option = 1;<br>
setsockopt(c->socket, SOL_TCP, TCP_NODELAY, (void
*)&option, sizeof(option));<br>
+ if ( mark != 0 ){<br>
+ setsockopt(c->socket, SOL_TCP, SO_MARK, (void
*)&val, sizeof(one));<br>
+ }<br>
+ <br>
#endif<br>
<br>
#if defined(SOL_IP) && defined(IP_TOS) &&
defined(IPTOS_LOWDELAY)<br>
option = IPTOS_LOWDELAY;<br>
setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option,
sizeof(option));<br>
+ if ( mark != 0 ){<br>
+ setsockopt(c->socket, SOL_IP, SO_MARK, (void
*)&val, sizeof(one));<br>
+ }<br>
#endif<br>
<br>
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
&& defined(IPTOS_LOWDELAY)<br>
option = IPTOS_LOWDELAY;<br>
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void
*)&option, sizeof(option));<br>
+ if ( mark != 0 ){<br>
+ setsockopt(c->socket, IPPROTO_IPV6, SO_MARK,
(void *)&val, sizeof(one));<br>
+ }<br>
#endif<br>
}<br>
<br>
static bool bind_to_interface(int sd) {<br>
char *iface;<br>
+ int val = mark;<br>
+ int one = 1;<br>
<br>
#if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)<br>
struct ifreq ifr;<br>
@@ -108,6 +123,12 @@<br>
logger(LOG_ERR, "Can't bind to interface %s: %s",
ifr.ifr_ifrn.ifrn_name, strerror(errno));<br>
return false;<br>
}<br>
+ else{<br>
+ if ( mark != 0 ){<br>
+ setsockopt(sd, SOL_SOCKET, SO_MARK, (void
*)&val, sizeof(one));<br>
+ }<br>
+ }<br>
+<br>
<br>
#else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */<br>
logger(LOG_WARNING, "%s not supported on this platform",
"BindToInterface");<br>
@@ -121,13 +142,16 @@<br>
char *addrstr;<br>
int option;<br>
char *iface;<br>
+ int val = mark;<br>
+ int one = 1;<br>
<br>
nfd = socket(sa->sa.sa_family, SOCK_STREAM, IPPROTO_TCP);<br>
-<br>
+ <br>
if(nfd < 0) {<br>
ifdebug(STATUS) logger(LOG_ERR, "Creating metasocket
failed: %s", sockstrerror(sockerrno));<br>
return -1;<br>
}<br>
+ <br>
<br>
#ifdef FD_CLOEXEC<br>
fcntl(nfd, F_SETFD, FD_CLOEXEC);<br>
@@ -137,6 +161,11 @@<br>
<br>
option = 1;<br>
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void
*)&option, sizeof(option));<br>
+ if ( mark != 0 ){<br>
+ setsockopt(nfd, SOL_SOCKET, SO_MARK, (void *)&val,
sizeof(one));<br>
+ }<br>
+<br>
+ <br>
<br>
#if defined(SOL_IPV6) && defined(IPV6_V6ONLY)<br>
if(sa->sa.sa_family == AF_INET6)<br>
@@ -184,6 +213,7 @@<br>
int nfd;<br>
char *addrstr;<br>
int option;<br>
+ int one = 1;<br>
<br>
nfd = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);<br>
<br>
@@ -221,6 +251,9 @@<br>
option = 1;<br>
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void
*)&option, sizeof(option));<br>
setsockopt(nfd, SOL_SOCKET, SO_BROADCAST, (void
*)&option, sizeof(option));<br>
+ <br>
+ option = mark;<br>
+ setsockopt(nfd, SOL_SOCKET, SO_MARK, (void *)&option,
sizeof(one));<br>
<br>
if(udp_rcvbuf && setsockopt(nfd, SOL_SOCKET,
SO_RCVBUF, (void *)&udp_rcvbuf, sizeof(udp_rcvbuf)))<br>
logger(LOG_WARNING, "Can't set UDP SO_RCVBUF to %i: %s",
udp_rcvbuf, strerror(errno));<br>
diff -ur tinc-1.0.28-orig/src/tincd.c tinc-1.0.28/src/tincd.c<br>
--- tinc-1.0.28-orig/src/tincd.c 2016-04-09 15:41:35.000000000
+0200<br>
+++ tinc-1.0.28/src/tincd.c 2016-10-10 18:36:21.402842391 +0200<br>
@@ -82,6 +82,9 @@<br>
/* If nonzero, generate public/private keypair for this host/net.
*/<br>
int generate_keys = 0;<br>
<br>
+/* If nonzero, generate public/private keypair for this host/net.
*/<br>
+int mark = 0;<br>
+<br>
/* If nonzero, use null ciphers and skip all key exchanges. */<br>
bool bypass_security = false;<br>
<br>
@@ -120,6 +123,7 @@<br>
{"logfile", optional_argument, NULL, 4},<br>
{"pidfile", required_argument, NULL, 5},<br>
{"option", required_argument, NULL, 'o'},<br>
+ {"mark", required_argument, NULL, 'm'},<br>
{NULL, 0, NULL, 0}<br>
};<br>
<br>
@@ -147,6 +151,7 @@<br>
" -o, --option=[HOST.]KEY=VALUE Set global/host
configuration value.\n"<br>
" -R, --chroot chroot to NET
dir at startup.\n"<br>
" -U, --user=USER setuid to given
USER at startup.\n"<br>
+ " -m, --mark=MARK mark to address
several output ip.\n"<br>
" --help Display this
help and exit.\n"<br>
" --version Output version
information and exit.\n\n");<br>
printf("Report bugs to <a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org.\n">tinc@tinc-vpn.org.\n</a>");<br>
@@ -161,7 +166,7 @@<br>
<br>
cmdline_conf = list_alloc((list_action_t)free_config);<br>
<br>
- while((r = getopt_long(argc, argv, "c:DLd::k::n:o:K::RU:",
long_options, &option_index)) != EOF) {<br>
+ while((r = getopt_long(argc, argv, "c:DLd::k::n:o:K::RU:m:",
long_options, &option_index)) != EOF) {<br>
switch (r) {<br>
case 0: /* long option */<br>
break;<br>
@@ -197,6 +202,16 @@<br>
debug_level++;<br>
break;<br>
<br>
+ case 'm': /* increase
debug level */<br>
+ if(!optarg && optind <
argc && *argv[optind] != '-')<br>
+ optarg = argv[optind++];<br>
+ if(optarg)<br>
+ mark = atoi(optarg);<br>
+ else<br>
+ mark = 0;<br>
+ break;<br>
+<br>
+<br>
case 'k': /* kill old tincds */<br>
#ifndef HAVE_MINGW<br>
if(!optarg && optind < argc &&
*argv[optind] != '-')<br>
<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">Le 06/10/2016 à 14:11, Guus Sliepen a
écrit :<br>
</div>
<blockquote cite="mid:20161006121145.GK4585@sliepen.org" type="cite">
<pre wrap="">On Wed, Oct 05, 2016 at 07:27:54PM +0200, Olivier Tirat wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I'd like to mark all sockets established by a tincd process with a mark
passed as an argument in the command line.
</pre>
</blockquote>
<pre wrap="">[...]
</pre>
<blockquote type="cite">
<pre wrap="">Do you think its something interesting?
Do you think its a hard work to do?
If not i could probably try to do it and propose a patch for that if you
think it is interesting.
</pre>
</blockquote>
<pre wrap="">
I think it is relatively easy to do. There are two places in
src/net_socket.c where you would have to call setsockopt() with the
SO_MARK option: configure_tcp() and setup_vpn_in_socket(). The first one
is run for all incoming and outgoing TCP sockets, the second one sets up
the UDP sockets.
Try it out and see if it really allows you to do the mark-based routing
you want. If it works, you can submit a patch or pull request.
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: 99%;' />
<table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" alt="Avast logo" />
</a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; font-size:12pt;'>
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
<br><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">www.avast.com</a>
</p>
</td>
</tr>
</table>
<br />
</body>
</html>