Hi Patrick, > > So it seems this has nothing to do with xfrm, but that the MARK target > > has different effects when used in raw than in mangle. I was using raw > > because I had to set conntrack zones too and it was more conveniant to > > do both in one place. > > > > Can one of the netfilter guys comment on this? Is using MARK in raw not > > fully supported or has known deficiencies? > > No, the problem is most likely that for outgoing packets, the XFRM > lookup is done with the route lookup before the packet is even sent, > so once it hits the raw or mangle table, it is too late. mangle however > performs rerouting when the mark value changes, at which point a new > XFRM lookup is performed. ah, this would explain it. Thanks for the explanation. I'll just stick with mangle for marking. Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jonas@xxxxxxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
