Netfilter mark applied to packets after the inbound IPsec SA processed them. This way it's not necessary to mark packets via Netfilter before decryption or right afterwards to match policies or process them differently (e.g. via policy routing).
An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff. The special value %same uses the value (but not the mask) from mark_in as mark value, which can be fixed, %unique or %unique-dir.
Setting marks in XFRM input requires Linux 4.19 or higher.
StrongSwan default: "0/0x00000000"
Declarations
Type
null or stringDefault
null