On Wednesday 2010-06-16 18:21, Ajay Lele wrote: > >I am working on a VPN solution where packets entering Linux box are >manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this >manipulation is such that packets destined for different sites end up >getting the same src/dst IP address when they reach the Netfilter >POSTROUTING chain. However a different "mark" is set using the >IPTables mark target by which packets destined for different sites can >be distinguished from one another. Is there a way I can use this mark >value while creating security policy using setkey spdadd so that >packets are sent over respective tunnels (tunnels are created >manually) A packet can be marked when it enters the machine and retains the mark as long as it exists, even across transformation. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
