[strongSwan] marks on decrypted packets
Noel Kuntze
noel at familie-kuntze.de
Mon Mar 23 19:06:22 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
Marks which are applied to the esp packet transfer over to the decrypted packet.
You can leverage this by using the policy module to find what esp packets belong
to what tunnel and marking them accordingly.
e.g.: iptables -t mangle -I INPUT -m policy --pol ipsec --dir in --reqid 42 -j MARK --set-mark 0xf00
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 23.03.2015 um 19:03 schrieb SM K:
> Hi,
>
> If I had two tunnels to my strongswan server, is there a way to distinguish the packets coming out decrypted from the two tunnels via fw marks? I would like to handle the traffic coming out of the two (or more) tunnels differently in my netfilter hooks. Is there anything in the sk_buff?
>
> regards,
> sk
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVEFYZAAoJEDg5KY9j7GZYHxIP/1qlhGuvCWG6S+ZRQjkgzwb9
XNX0VEuip5XIrf1RHoYFMeqjsHRgKPmuvzLd4GrGAKHFXSs/JY4q+PQpFPkE9lQq
gvuzq0wyJ0M8toqp1gHZTPEtWipzIM2NrEATZw8EkagzLHaiE5WKrZmg9fXV3z1O
xZpVNvsTbhjqJEgHaIObW2rG2QS4ioWgnagjHQPZ+EBqovfEuEE/OPoJgwVoH1BZ
Ee3iHON1te/W8B4kiGw3MB0KffxsqZ42jCJsuRu9tnVKozEX6HToBaggw4Ex8cTe
qc1looplyepzC/qyZZXbiHw7bqKC19oIrG6QItTeJMj5qVWz+lDzA10gWpb0q04D
0IJ+QnjbkqvX4JNDzTgZDbnPzvud+DhG+PJKB9LO9q6agBrWEeXW+hHNibkRHQZj
QnQDeurLMNGp6ASjEeuxKikYiJ9wsM6OlKi++81C+Zo6kpp+1KiUwFt5GUQNGv6k
jfLkFyN3SiVdycjWFQrvJwD7wkeik1dobMVeT6hNDRok17hW5/BVtHCL/m1dBYuR
iZaQAcXk7hWboHhAmwfzSq6XHtQEdm5GjFh4FyUhGbVyuLkpvRN3NMwqU3/52LVp
RyMQ1KWxUgaYArQiSI/MKricQVGJ3AFxqTV5qPB7eVseQ9QSVodyyWPGwDmlU8mA
STmBe7ki5wKEhtbUWUP+
=5hdD
-----END PGP SIGNATURE-----
More information about the Users
mailing list