Hi, How does 2.5.* ipsec and netfilter interact? I guess this way, but I'm not sure: (encrypted) network card -> routing -> INPUT -> decrypt (decrypted) ipsec -> routing -> INPUT/FORWARD A normal packet is processed this way: ipsec -> routing -> INPUT/FORWARD The first is easy to see: proto 50 or 51 (or udp port 500 for ike). But how can I see whether an unencrypted packet came in unencrypted or came in encrypted via ipsec? with freeswan I could match -i ipsec0, but with kernel 2.5.* there is no ipsec0 device. What shall I use instead? fwmark? Thanks for your help. Regards, Andreas
