Re: Fwd: Can Netfilter "mark" be used with setkey spdadd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-06-17 03:24, Ajay Lele wrote:
>>>
>>>I am working on a VPN solution where packets entering Linux box are
>>>manipulated using IPTables rules (SNAT, DNAT etc.). The nature of this
>>>manipulation is such that packets destined for different sites end up
>>>getting the same src/dst IP address when they reach the Netfilter
>>>POSTROUTING chain. However a different "mark" is set using the
>>>IPTables mark target by which packets destined for different sites can
>>>be distinguished from one another. Is there a way I can use this mark
>>>value while creating security policy using setkey spdadd so that
>>>packets are sent over respective tunnels (tunnels are created
>>>manually)
>>
>> A packet can be marked when it enters the machine and retains the
>> mark as long as it exists, even across transformation.
>
>Thanks for the info, Jan. What I am specifically looking for is
>whether Netfilter "mark" value on the outgoing packet can be used to
>influence which tunnel the packet is forwarded on. I know it is more a
>question for ipsec-tools folks but trying my luck here as nobody
>replied on their mailing list

Sounds like you found a missing feature. I certainly did not find
any mention of mark or realm in `ip xfrm policy help`.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux