-----BEGIN PGP SIGNED MESSAGE-----
Patrick McHardy wrote:
| Lennert Buytenhek wrote:
|> - I have no idea beforehand what the remote nexthop is going to
|> be. A1 might ordinarily send its traffic for site B to B1, but
|> if B1 fails it'll want to start using B2 instead, which would be
|> prevented by the SPD rule hardcoding the remote tunnel endpoint
|> to B1.
| Hmm .. sounds like using the routing realm in the selector would
| solve this while avoiding the GRE overhead.
| Regards Patrick
I'm hoping that using the fwmark as a selector can provide a workable
solution for both mine and Lennert's problem, any many more related
situations. Netfilter has a (almost) complete range of selectors.
e.g. Lennerts problem could be solved using a combination of the
"realm" match of iptables, in combination with a fwmark for SPD matching.
PS. On a side note: Wouldn't it be possible to have a netfilter target
stating that an transformation should be done?
V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
-----END PGP SIGNATURE-----