Whether to set <a href="/nixpkgs/option/services.strongswan-swanctl.swanctl.connections.&lt;name&gt;.children.&lt;name&gt;.mark_in"><a href="/nixpkgs/option/mark_in" rel="nofollow">mark_in</a></a> on the inbound SA. By default, the inbound mark is only set on the inbound policy. The tuple destination address, protocol and SPI is unique and the mark is not required to find the correct SA, allowing to mark traffic after decryption instead (where more specific selectors may be used) to match different policies. Marking packets before decryption is still possible, even if no mark is set on the SA.StrongSwan default: <code>false</code>.