From: Wang Jian <lark@linux.net.cn>
To: netfilter-devel@lists.netfilter.org
Subject: Re: bidirectional CONNMARK?
Date: Wed, 09 Mar 2005 16:30:13 +0800 [thread overview]
Message-ID: <20050309161949.A568.LARK@linux.net.cn> (raw)
In-Reply-To: <20050309124806.A55C.LARK@linux.net.cn>
Hi,
I have figured out how to do it with CONNMARK. Using --mask, I can
choose bits to use.
My iptables 1.2.9 doesn't give hint on mask for --set-mark, --save-mark
and --restore-mask. I just read the code from HEAD and realize.
I am happy. Thanks.
On Wed, 09 Mar 2005 13:26:19 +0800, Wang Jian <lark@linux.net.cn> wrote:
> Hi folks,
>
> What is the CONNMARK's purpose? I think it is to reduce rule traversal,
> like this:
>
> # iptables -A PREROUTING -t mangle \
> -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark
>
> # iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
> # iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
> <snip a lot of rules>
>
> But an issue occurs, when we want to set 2 different marks for a single
> session in two directions.
>
> When doing QoS control as an router between two or more interfaces,
> bi-directional control is neccessary. Since nfmark is the most
> convenient way to classify packet, should we extend CONNMARK to support
> two marks?
>
> Comment on this issue is welcome.
>
> If it is a good idea, I will provide a patch for it.
>
>
>
>
> --
> lark
>
--
lark
next prev parent reply other threads:[~2005-03-09 8:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-09 5:26 bidirectional CONNMARK? Wang Jian
2005-03-09 5:49 ` Wang Jian
2005-03-09 8:30 ` Wang Jian [this message]
2005-03-09 9:24 ` Henrik Nordstrom
2005-03-09 9:54 ` Re[2]: " Wang Jian
2005-03-09 11:24 ` Re[3]: " Wang Jian
2005-03-10 5:04 ` Re[2]: " Jesse Peng
2005-03-10 6:49 ` Re[4]: " Wang Jian
2005-03-11 5:03 ` Jesse Peng
2005-03-10 9:59 ` Re[2]: " Henrik Nordstrom
2005-03-11 5:08 ` Jesse Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050309161949.A568.LARK@linux.net.cn \
--to=lark@linux.net.cn \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.