> I'm intrigued by this. If the packets are encrypted with ESP as they go > through PREROUTING, but you need to MARK them in order to recognise which > ones they are by the time they hit the INPUT chain, at what point > does the > decryption occur? Does it mysteriously happen somewhere between the > PREROUTING and INPUT chains? (If it does, I can see an awful lot more > puzzled newbies asking questions here once 2.6 takes off....) > I have to guess so. I've no idea TBH where the packets actually go, but this definitely works for me. I'm more of a cook than a chef when it comes to netfilter. I've tried looking around the source, but I'm pretty clueless, and the native ipsec doesn't seem to be documented at all. It's not even got a maintainer listed, and virtually nothing in linux/Documentation. (If anyone could point me in the right direction that would be great!). It kind of makes sense, because without this we'd have no possibility of handling packets that came in via an IPSC tunnel separately. Mark
