Another thing to look into perhaps is using (and possibly extending) the iptables 'policy' match as a selector when labeling packets. - James -- James Morris <jmorris at redhat.com>