[Openswan Users]
Andy Gay
andy at andynet.net
Sun Jul 23 12:41:06 CEST 2006
On Sun, 2006-07-23 at 08:43 -0500, Greg Scott wrote:
> I
> think the netfilter guys had a way to mark incoming esp packets so they
> could be tested later on afer reinjection.
Mark incoming ESP packets:
iptables -t mangle -A INPUT -i <interface> -p 50 -j MARK --set-mark 0x50
If the packet survives IPsec policy checks, it'll show up later with the
mark still intact. So you can use it for example to bypass INPUT rules:
iptables -A INPUT -i <interface> -m mark --mark 0x50 -j ACCEPT
For anyone who knows the Cisco PIX, this is similar to setting 'sysopt
connection permit-ipsec'.
More information about the Users
mailing list