From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wang Jian Subject: Re: bidirectional CONNMARK? Date: Wed, 09 Mar 2005 16:30:13 +0800 Message-ID: <20050309161949.A568.LARK@linux.net.cn> References: <20050309124806.A55C.LARK@linux.net.cn> Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit To: netfilter-devel@lists.netfilter.org In-Reply-To: <20050309124806.A55C.LARK@linux.net.cn> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Hi, I have figured out how to do it with CONNMARK. Using --mask, I can choose bits to use. My iptables 1.2.9 doesn't give hint on mask for --set-mark, --save-mark and --restore-mask. I just read the code from HEAD and realize. I am happy. Thanks. On Wed, 09 Mar 2005 13:26:19 +0800, Wang Jian wrote: > Hi folks, > > What is the CONNMARK's purpose? I think it is to reduce rule traversal, > like this: > > # iptables -A PREROUTING -t mangle \ > -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark > > # iptables -A PREROUTING -t mangle -j CONNMARK --set-mark 0xEF000001 > # iptables -A PREROUTING -t mangle -j CONNMARK --set-mark 0xEF000001 > # iptables -A PREROUTING -t mangle -j CONNMARK --set-mark 0xEF000001 > # iptables -A PREROUTING -t mangle -j CONNMARK --set-mark 0xEF000002 > # iptables -A PREROUTING -t mangle -j CONNMARK --set-mark 0xEF000003 > > > But an issue occurs, when we want to set 2 different marks for a single > session in two directions. > > When doing QoS control as an router between two or more interfaces, > bi-directional control is neccessary. Since nfmark is the most > convenient way to classify packet, should we extend CONNMARK to support > two marks? > > Comment on this issue is welcome. > > If it is a good idea, I will provide a patch for it. > > > > > -- > lark > -- lark