On Wed, Jun 16, 2010 at 11:21 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Wednesday 2010-06-16 18:21, Ajay Lele wrote: >> >>I am working on a VPN solution where packets entering Linux box are >>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this >>manipulation is such that packets destined for different sites end up >>getting the same src/dst IP address when they reach the Netfilter >>POSTROUTING chain. However a different "mark" is set using the >>IPTables mark target by which packets destined for different sites can >>be distinguished from one another. Is there a way I can use this mark >>value while creating security policy using setkey spdadd so that >>packets are sent over respective tunnels (tunnels are created >>manually) > > A packet can be marked when it enters the machine and retains the > mark as long as it exists, even across transformation. Thanks for the info, Jan. What I am specifically looking for is whether Netfilter "mark" value on the outgoing packet can be used to influence which tunnel the packet is forwarded on. I know it is more a question for ipsec-tools folks but trying my luck here as nobody replied on their mailing list > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
