Hi Mohan, > > What should work is to mark the packets in PREROUTING in the mangle > > table and assign them to the classes you want based on the fwmark: > Has anyone tested this? Does the mark get carried across > encapsulations or is the packet context a new one on > encapsulation? Yes, I have tested this. The fwmark is preserved/copied to the encrypted packet. I've set up a test system using 4 virtual machines in a vmware environment to give me two ipsec routers and a seperate client for each :-) > I know that IPSec RFC says inner packet > headers have to be copied to the outer header. > Does that include the TOS byte too? Do not know what OpenSWAN > does. If that were the case, assigning TOS prior to > encapsulation and classifying by TOS at the device will work. Openswan shouldn't come into the picuture in this case: original poster isn't using the openswan ipsec stack (klips), just the userspace tools, so we're just dealing with the standard/in-kernel ipsec implementation. I haven't tried setting/classifying by tos - I'm happy with the fwmark method. Bye, Martin _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
