From mboxrd@z Thu Jan  1 00:00:00 1970
From: Wang Jian <lark@linux.net.cn>
Subject: Re: bidirectional CONNMARK?
Date: Wed, 09 Mar 2005 13:49:14 +0800
Message-ID: <20050309134649.A565.LARK@linux.net.cn>
References: <20050309124806.A55C.LARK@linux.net.cn>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
To: netfilter-devel@lists.netfilter.org
In-Reply-To: <20050309124806.A55C.LARK@linux.net.cn>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter-devel>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-devel-bounces@lists.netfilter.org
Errors-To: netfilter-devel-bounces@lists.netfilter.org
List-Id: netfilter-devel.vger.kernel.org

Hi Wang Jian,

Oops, I forget to mention that I remove -j RETURN rules for better
readability.

On Wed, 09 Mar 2005 13:26:19 +0800, Wang Jian <lark@linux.net.cn> wrote:

> Hi folks,
> 
> What is the CONNMARK's purpose? I think it is to reduce rule traversal,
> like this:
> 
> # iptables -A PREROUTING -t mangle \
>    -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark
> 
> # iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
> # iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
> <snip a lot of rules>
> 
> But an issue occurs, when we want to set 2 different marks for a single
> session in two directions.
> 
> When doing QoS control as an router between two or more interfaces,
> bi-directional control is neccessary. Since nfmark is the most
> convenient way to classify packet, should we extend CONNMARK to support
> two marks?
> 
> Comment on this issue is welcome.
> 
> If it is a good idea, I will provide a patch for it.
> 
> 
> 
> 
> -- 
>   lark
> 



-- 
  lark