[strongSwan] iptables -m policy match problem

Zesen Qian strongswan-users at riaqn.com
Wed Jan 28 11:01:27 CET 2015

Hello list,
I 'm working on a router with xfrm policy ===, and
I 'm trying to make the locally-generated packet be tunnelled too.
In the iptables -m policy matching, is there any way to use specific ip
as the source ip of packet, other than the origin src of the packet?

iptables -t nat -A POSTROUTING -m policy --pol none --dir out
--src= -j MASQUERADE 
iptables -t nat -A POSTROUTING -j SNAT --to-source

The packet inputed has src=, and I want to MASQUERADE only if
there is no such a policy that match src=, otherwise I want to
SNAT the packet to

It's good if we can swap these two rules, then we can check the policy
with the NAT-ed packet(who has src= However it's impossible
since SNAT is a terminating target and the chain stop here.

Currently I write a updown script which is invoked everytime a tunnel is
up/down, to do some iptables stuff. If we know the tunnel is up/down,
it's of course easy to write iptables rules.But I 'm wondering if
there's any cleaner solutions.

Any comment is appreciated.

Zesen Qian (钱泽森)

More information about the Users mailing list