On Wed, Jan 19, 2005 at 07:56:52PM +0100, Ludo Stellingwerff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thank for you reaction Jason,
> and sorry about the cross post, you're right, my mistake:(
>
> The question I raised was not about the filtering side, but about the
> policy match. What NetBSD is capable of is to use it's packetfilter
> for deciding ipsec policies, by using a "tag".
>
> In Linux terms this would mean that by using a firewall mark you could
> use the netfilter matching structure instead of the SPD internal matches.
>
> spdadd mark 1 -P out esp/transport//require
>
> This would read: All packages marked with firewall mark 1 should be
> encrypted and send on a transport mode ipsec connection.
>
> Does anyone know some sort of implementation doing this?
ah--i misunderstood what you were asking. i think your question is
probably better suited to the ipsec-tools list, as all you need
netfilter to do is set the mark, which it can already do.
-j
--
"It takes two to lie. One to lie and one to listen."
--The Simpsons
