services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa
Whether to set mark_in on the inbound SA. By default,
the inbound mark is only set on the inbound policy. The tuple destination
address, protocol and SPI is unique and the mark is not required to find
the correct SA, allowing to mark traffic after decryption instead (where
more specific selectors may be used) to match different policies. Marking
packets before decryption is still possible, even if no mark is set on
the SA.
StrongSwan default: false
- Type
null or boolean- Default
null- Declared
- <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>