Netfilter mark and mask for output traffic. On Linux, Netfilter may require marks on each packet to match a policy/SA having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific policies/SAs for outgoing traffic. The special value %unique sets a unique mark on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique mark for each CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff.
StrongSwan default: "0/0x00000000"
Declarations
Type
null or stringDefault
null