services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in
Netfilter mark and mask for input traffic. On Linux, Netfilter may
require marks on each packet to match an SA/policy having that option
set. This allows installing duplicate policies and enables Netfilter
rules to select specific SAs/policies for incoming traffic. Note that
inbound marks are only set on policies, by default, unless
mark_in_sa is enabled. The special value
%unique sets a unique mark on each CHILD_SA instance,
beyond that the value %unique-dir assigns a different
unique mark for each
An additional mask may be appended to the mark, separated by
/. The default mask if omitted is
0xffffffff.
StrongSwan default: "0/0x00000000"
- Type
null or string- Default
null- Declared
- <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>