strongSwan

Where is the question? In that thread? It's not my thread.

The architecture of OpenWrt is:

root@router:~# uname -a
Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

Where is the question? In that thread? It's not my thread.

Yes. Martin asked the original poster whether his kernel supports the MARK target and the udp/esp matches.

Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

He also mentioned that he only tested it on x86/x64 and that it could be an issue with the architecture. Since you are running on MIPS (big-endian) it could be an endianness or an alignment issue.

right, and how can we proceed further?
i enabled my kernel to support MARK.

It's an alignment issue. Each of the stucts in struct ipt should be sized XT_ALIGN(sizeof).
I don't think this can be achieved with static structs.

I have test-tried 2 approaches:
- use existing struct ipt, but then memcpy each member into dynamically allocated memory at the proper (aligned) offset (& fixing _size and _offset)
- allocate dynamic struct *ipt and build it with pointers

In both cases the rules load into OpenWRT Strongswan, but I must have missed something as the best I can get is:

57  8083 CONNMARK   all  --  *      *       84.xx.xx.xx        89.xx.xx.xx       policy match dir in pol ipsec spi 0xc09484c2[16 bytes of unknown target data]
64  7143 CONNMARK   all  --  *      *       89.xx.xx.xx        84.xx.xx.xx       [16 bytes of unknown target data]

(the PREROUTING rule seems ok though...)

i still get the error

Sun Nov 29 03:35:31 2015 authpriv.info : 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs ceb33618_i 670c4770_o and TS 192.168.1.0/24 239.255.255.250/32 === 192.168.1.239/32 239.255.255.250/32
Sun Nov 29 03:35:31 2015 daemon.info : 08[CFG] forecast iptables commit failed: Invalid argument
Sun Nov 29 03:35:31 2015 local0.notice vpn: + C=DE, O=docmax-net, CN=aquarism5.docmax-net.docmax.net 192.168.1.239/32 2.204.165.202 -- 78.53.156.170 192.168.1.0/24

There are 2 plugins that use similar code: forecast & connmark. Connmark was apparently based from the forecast plugin code as it prints out exactly the same error message: forecast iptables commit failed (in connmark_listener.c). I was testing connmark plugin and found this report and only later noticed there is another plugin with the same problem :-)

The above patch fixes the connmark plugin. Forecast plugin can be fixed in the same way, with just a few modifications to the above patch.
I can prepare it, if the solution is acceptable.

yes i noticed this, too. but i don't have the skills to do it. so please provide a patch for forecast.
thx!!

thank you, it works

Could you please try the patches in the 1212-ipt-alignment branch.

Connmark plugin from the 1212-ipt-alignment branch works for me on mips Openwrt.