Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks on each packet to match an SA/policy having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific SAs/policies for incoming traffic. Note that inbound marks are only set on policies, by default, unless mark_in_sa is enabled. The special value %unique sets a unique mark on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique mark for each
An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff.
StrongSwan default: "0/0x00000000"
Declarations
Type
null or stringDefault
null