hi, i had posted to the lartc (no presponse) with a question that is currently under discussion for 2.6 kernels ... from the kptd shema (below) can someone point out where ispec encrytion/decryption takes place in the diagram (2.4 kernels)? from other posts, it appears that the meta data for the packet is maintained, i.e., if we mark the eth0/esp packet in prerouting, that mark stays in ipsec0 packet? many thanks, charles Network -----------+----------- | +-------+------+ | mangle | | PREROUTING | <- MARK REWRITE +-------+------+ | +-------+------+ | nat | | PREROUTING | <- DEST REWRITE +-------+------+ | +-------+------+ | ipchains | | FILTER | +-------+------+ | +-------+------+ | QOS | | INGRESS | <- controlled by tc +-------+------+ | packet is for +-------+------+ packet is for this address | INPUT | another address +--------------+ ROUTING +---------------+ | | + PRDB | | | +--------------+ | +-------+------+ | | filter | | | INPUT | | +-------+------+ | | | +-------+------+ | | Local | | | Process | | +-------+------+ | | | +-------+------+ | | OUTPUT | +-------+-------+ | ROUTING | | filter | +-------+------+ | FORWARD | | +-------+-------+ +-------+------+ | | mangle | | | OUTPUT | MARK REWRITE | +-------+------+ | | | +-------+------+ | | nat | | | OUTPUT | DEST REWRITE | +-------+------+ | | | +-------+------+ | | filter | | | OUTPUT | | +-------+------+ | | | +----------------+ +--------------------+ | | +--+-------+---+ | ipchains | | FILTER | +-------+------+ | +-------+------+ | nat | | POSTROUTING | SOURCE REWRITE +-------+------+ | +-------+------+ | QOS | | EGRESS | <- controlled by tc +-------+------+ | -----------+----------- Network - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html