Hi all,
I've created the udp tunnel using tun device and it works fine.

I have the following situation:
1. the encapsupated packet is read from udp socket
2. the data of the packet is written using file descriptor concerned with tun device
3. decapsulated packet appears in system via tun device


The question is:
how to write the packet in step 2 or what to do to see the packet in step 3 as "marked" one (to use as the selector in iptables -m mark --mark ... rule) ?


Some insights:

Iptables rules are the static ones so they do't work for me.
Iptables mark (or don't mark) packets dependenly on fixed set of parameters.

My question concerns the situation when it is my (tunneling) program which dynamically decides to set or not to set mark for each of the packet currently being decapsulated.

In other words I am looking for something similar to nfq_set_verdict_mark() function existing in libnetfilter_queue library but without necessity of using this library.

The packet I want (or don't want) to mark is "in my hand" i.e. in user space at the moment of de-tunelling. So it would be the best place to decide there about packet mark value.
With libnetfilter_queue additional kernel <---> userspace packet copying take place.

Therefore libnetfilter_queue is a solution but is not cost-effective.

This is the issue of my question.