On Wed, 2005-01-19 at 01:44, Ludo Stellingwerff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> I was wondering if someone has been working on and/or has a patch
> which implement's the use of Netfilter Marks for ipsec spd matching
> under the linux kernel 2.6. This would be similar to the NetBSD
> "tagged" option of 'setkey':
>
> spdadd tagged "ssh" -P out esp/transport//require
>
> But then something like:
>
> ~ spdadd tagged 1 -P out esp/transport//require
> or spdadd mark 1 -P out esp/transport//require
this may not be "good enough" for what you need--but why not just MARK
the ESP packets in mangle PREROUTING, for later filtering:
iptables -t mangle -A PREROUTING -p 50 -s $VPN_PEER_1 \
-j MARK --set-mark 1
iptables -A [INPUT|FORWARD] -m mark --mark 1 [...] -j ACCEPT
also--have a look at the "policy" match in POM, as i *think* it will do
what you want.
and finally--please don't cross-post--it's poor form.
-j
--
"Let us all bask in television's warm glowing warming glow."
--The Simpsons
