Netfilter mark applied to packets after the outbound IPsec SA processed them. This allows processing ESP packets differently than the original traffic (e.g. via policy routing).
An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff. The special value %same uses the value (but not the mask) from mark_out as mark value, which can be fixed, %unique_ or %unique-dir.
Setting marks in XFRM output is supported since Linux 4.14. Setting a mask requires at least Linux 4.19.
StrongSwan default: "0/0x00000000"
Declarations
Type
null or stringDefault
null