[Swan] Connection tracking
mx2927 at gmail.com
Mon Feb 14 19:04:40 EET 2022
Following up on a question that was probably too compact.
man ipsec.conf says that if mark=... is set the mark "can be used with
iptables to create custom iptables rules using CONNMARK"
I'm pretty new to connection tracking, however I believe the first
question is: does this work with nftables?
The second question is: which conntrack metadata is set by libreswan in
nftables? Is it "ct mark"?
Thanks in advance for any hint..
On 2/13/2022 3:11 AM, Manfred wrote:
> Hi all,
> I'm having trouble with the mark=... option.
> ipsec accepts it nicely, but I can't match packets in the firewall
> rules; also I can't find the mark in /proc/net/nf_conntrack
> Thanks in advance for any hint..
More information about the Swan