On Sun, 2005-03-20 at 13:22, Patrick McHardy wrote:

Ludo Stellingwerff wrote:

quoted

I'm hoping that using the fwmark as a selector can provide a workable
solution for both mine and Lennert's problem, any many more related
situations. Netfilter has a (almost) complete range of selectors.
e.g. Lennerts problem could be solved using a combination of the
"realm" match of iptables, in combination with a fwmark for SPD matching.

Routing of local packets is done before the first netfilter hook
is called, but I forgot about ip_route_me_harder(). So you're right,
the realm can be translated to nfmark values using iptables.

BTW, is there any reason the SPD couldnt have been implemented from day
one using netfilter classification ? Why did we need another speacilized
classifier? the actions are clearly implementable as targets.

cheers,
jamal