Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 16, 2010 at 11:21 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
> On Wednesday 2010-06-16 18:21, Ajay Lele wrote:
>>
>>I am working on a VPN solution where packets entering Linux box are
>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>manipulation is such that packets destined for different sites end up
>>getting the same src/dst IP address when they reach the Netfilter
>>POSTROUTING chain. However a different "mark" is set using the
>>IPTables mark target by which packets destined for different sites can
>>be distinguished from one another. Is there a way I can use this mark
>>value while creating security policy using setkey spdadd so that
>>packets are sent over respective tunnels (tunnels are created
>>manually)
>
> A packet can be marked when it enters the machine and retains the
> mark as long as it exists, even across transformation.

Thanks for the info, Jan. What I am specifically looking for is
whether Netfilter "mark" value on the outgoing packet can be used to
influence which tunnel the packet is forwarded on. I know it is more a
question for ipsec-tools folks but trying my luck here as nobody
replied on their mailing list

>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux