Ludo Stellingwerff wrote:

I'm hoping that using the fwmark as a selector can provide a workable
solution for both mine and Lennert's problem, any many more related
situations. Netfilter has a (almost) complete range of selectors.
e.g. Lennerts problem could be solved using a combination of the
"realm" match of iptables, in combination with a fwmark for SPD matching.

Routing of local packets is done before the first netfilter hook
is called, but I forgot about ip_route_me_harder(). So you're right,
the realm can be translated to nfmark values using iptables.

Regards
Patrick