bidirectional CONNMARK?

bidirectional CONNMARK?

[Wang Jian]

Hi folks,

What is the CONNMARK's purpose? I think it is to reduce rule traversal,
like this:

# iptables -A PREROUTING -t mangle \
   -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark

# iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
# iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
<snip a lot of rules>

But an issue occurs, when we want to set 2 different marks for a single
session in two directions.

When doing QoS control as an router between two or more interfaces,
bi-directional control is neccessary. Since nfmark is the most
convenient way to classify packet, should we extend CONNMARK to support
two marks?

Comment on this issue is welcome.

If it is a good idea, I will provide a patch for it.




-- 
  lark

Re: bidirectional CONNMARK?

[Wang Jian]

Hi Wang Jian,

Oops, I forget to mention that I remove -j RETURN rules for better
readability.

On Wed, 09 Mar 2005 13:26:19 +0800, Wang Jian <lark@linux.net.cn> wrote:

> Hi folks,
> 
> What is the CONNMARK's purpose? I think it is to reduce rule traversal,
> like this:
> 
> # iptables -A PREROUTING -t mangle \
>    -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark
> 
> # iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
> # iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
> <snip a lot of rules>
> 
> But an issue occurs, when we want to set 2 different marks for a single
> session in two directions.
> 
> When doing QoS control as an router between two or more interfaces,
> bi-directional control is neccessary. Since nfmark is the most
> convenient way to classify packet, should we extend CONNMARK to support
> two marks?
> 
> Comment on this issue is welcome.
> 
> If it is a good idea, I will provide a patch for it.
> 
> 
> 
> 
> -- 
>   lark
> 



-- 
  lark

Re: bidirectional CONNMARK?

[Wang Jian]

Hi,

I have figured out how to do it with CONNMARK. Using --mask, I can
choose bits to use.

My iptables 1.2.9 doesn't give hint on mask for --set-mark, --save-mark
and --restore-mask. I just read the code from HEAD and realize.

I am happy. Thanks.

On Wed, 09 Mar 2005 13:26:19 +0800, Wang Jian <lark@linux.net.cn> wrote:

> Hi folks,
> 
> What is the CONNMARK's purpose? I think it is to reduce rule traversal,
> like this:
> 
> # iptables -A PREROUTING -t mangle \
>    -m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark
> 
> # iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
> # iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
> # iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
> <snip a lot of rules>
> 
> But an issue occurs, when we want to set 2 different marks for a single
> session in two directions.
> 
> When doing QoS control as an router between two or more interfaces,
> bi-directional control is neccessary. Since nfmark is the most
> convenient way to classify packet, should we extend CONNMARK to support
> two marks?
> 
> Comment on this issue is welcome.
> 
> If it is a good idea, I will provide a patch for it.
> 
> 
> 
> 
> -- 
>   lark
> 



-- 
  lark

Re: bidirectional CONNMARK?

[Henrik Nordstrom]

On Wed, 9 Mar 2005, Wang Jian wrote:

> What is the CONNMARK's purpose?

To act as a decision memory on the connection. What you use this memory 
for is up to you.

> I think it is to reduce rule traversal,

This is one of many applications.

The --save-mark/--restore-mark options to CONNMARK should be seen as a 
bonus. It is not the main purpose of CONNMARK. The main purpose of 
CONNMARK is to act as a connection oriented state memory, allowing you to 
remember an earlier decision about something on later packets in the same 
session.

> But an issue occurs, when we want to set 2 different marks for a single
> session in two directions.

Then you need to structure the use of CONNMARK differently, and depending 
on the direction set different marks.

> When doing QoS control as an router between two or more interfaces,
> bi-directional control is neccessary. Since nfmark is the most
> convenient way to classify packet, should we extend CONNMARK to support
> two marks?

If it helps you in reducing your ruleset, why not? Adjusting the tools to 
your needs is one of the cornerstones of using Open Source software.

But I don't think it is generally suitable for CONNMARK.

Regards
Henrik

Re[2]: bidirectional CONNMARK?

[Wang Jian]

Hi Henrik Nordstrom,

Below is a test script, which uses mark/mask to do bi-directional
control. I just craft it and haven't test it yet. (Need to compile a new
iptables in the test bed, later)

Jesse <jesse@deansoft.com.tw> tells me off-list that he has a CTDIRMARK
target based on CONNMARK. Looking forward to his code for easier use.


--snip--
#!/bin/sh

CLEAR="iptables -F PREROUTING -t mangle"
IPT="iptables -A PREROUTING -t mangle"
IPTIN="iptables -A INBOUND -t mangle"
IPTOUT="iptables -A OUTBOUND -t mangle"

$CLEAR

iptables -N INBOUND -t mangle
iptables -N OUTBOUND -t mangle

# Start
$IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 \
        -j CONNMARK --restore-mark --mask 0x7FFF0000
$IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 -j RETURN

$IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 \
        -j CONNMARK --restore-mark --mark 0x00007FFF
$IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 -j RETURN

# End with default to prevent rule traversal
$IPT -i eth1 -j INBOUND
$IPT -i eth1 -m connmark --mark ! 0x80000000/0x80000000 \
        -j CONNMARK --set-mark  0x80000000/0x8FFF0000
$IPT -i eth1 -j RETURN

$IPT -i eth0 -j OUTBOUND
$IPT -i eth0 -m connmark --mark ! 0x00008000/0x00008000 \
        -j CONNMARK --set-mark  0x00008000/0x00008FFF
$IPT -i eth0 -j RETURN

# Classes
$IPTOUT -p tcp --sport 80 -j CONNMARK --set-mark 0x80030000/0xFFFF0000
$IPTOUT -p tcp --sport 80 -j RETURN



On Wed, 9 Mar 2005 10:24:50 +0100 (CET), Henrik Nordstrom <hno@marasystems.com> wrote:

> On Wed, 9 Mar 2005, Wang Jian wrote:
> 
> > What is the CONNMARK's purpose?
> 
> To act as a decision memory on the connection. What you use this memory 
> for is up to you.
> 
> > I think it is to reduce rule traversal,
> 
> This is one of many applications.
> 
> The --save-mark/--restore-mark options to CONNMARK should be seen as a 
> bonus. It is not the main purpose of CONNMARK. The main purpose of 
> CONNMARK is to act as a connection oriented state memory, allowing you to 
> remember an earlier decision about something on later packets in the same 
> session.
> 
> > But an issue occurs, when we want to set 2 different marks for a single
> > session in two directions.
> 
> Then you need to structure the use of CONNMARK differently, and depending 
> on the direction set different marks.
> 
> > When doing QoS control as an router between two or more interfaces,
> > bi-directional control is neccessary. Since nfmark is the most
> > convenient way to classify packet, should we extend CONNMARK to support
> > two marks?
> 
> If it helps you in reducing your ruleset, why not? Adjusting the tools to 
> your needs is one of the cornerstones of using Open Source software.
> 
> But I don't think it is generally suitable for CONNMARK.
> 
> Regards
> Henrik



-- 
  lark

Re[3]: bidirectional CONNMARK?

[Wang Jian]

Hi,

Again.

The script works, but another issue arises.

I use CONNMARK's 32 bits to store two 16 bits number, the MSB of each is
used as flag to test if set.

The problem here is that TC use too simple hash to process the nfmark

static __inline__ int fw_hash(u32 handle)
{
        return handle&0xFF;
}

The hash will be futile for hi-word case.

It seems that I should write an extended CONNMARK like target.


Jesse: can you post your code here?


On Wed, 09 Mar 2005 17:54:51 +0800, Wang Jian <lark@linux.net.cn> wrote:

> Hi Henrik Nordstrom,
> 
> Below is a test script, which uses mark/mask to do bi-directional
> control. I just craft it and haven't test it yet. (Need to compile a new
> iptables in the test bed, later)
> 
> Jesse <jesse@deansoft.com.tw> tells me off-list that he has a CTDIRMARK
> target based on CONNMARK. Looking forward to his code for easier use.
> 
> 
> --snip--
> #!/bin/sh
> 
> CLEAR="iptables -F PREROUTING -t mangle"
> IPT="iptables -A PREROUTING -t mangle"
> IPTIN="iptables -A INBOUND -t mangle"
> IPTOUT="iptables -A OUTBOUND -t mangle"
> 
> $CLEAR
> 
> iptables -N INBOUND -t mangle
> iptables -N OUTBOUND -t mangle
> 
> # Start
> $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 \
>         -j CONNMARK --restore-mark --mask 0x7FFF0000
> $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 -j RETURN
> 
> $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 \
>         -j CONNMARK --restore-mark --mark 0x00007FFF
> $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 -j RETURN
> 
> # End with default to prevent rule traversal
> $IPT -i eth1 -j INBOUND
> $IPT -i eth1 -m connmark --mark ! 0x80000000/0x80000000 \
>         -j CONNMARK --set-mark  0x80000000/0x8FFF0000
> $IPT -i eth1 -j RETURN
> 
> $IPT -i eth0 -j OUTBOUND
> $IPT -i eth0 -m connmark --mark ! 0x00008000/0x00008000 \
>         -j CONNMARK --set-mark  0x00008000/0x00008FFF
> $IPT -i eth0 -j RETURN
> 
> # Classes
> $IPTOUT -p tcp --sport 80 -j CONNMARK --set-mark 0x80030000/0xFFFF0000
> $IPTOUT -p tcp --sport 80 -j RETURN
> 
> 
> 
> On Wed, 9 Mar 2005 10:24:50 +0100 (CET), Henrik Nordstrom <hno@marasystems.com> wrote:
> 
> > On Wed, 9 Mar 2005, Wang Jian wrote:
> > 
> > > What is the CONNMARK's purpose?
> > 
> > To act as a decision memory on the connection. What you use this memory 
> > for is up to you.
> > 
> > > I think it is to reduce rule traversal,
> > 
> > This is one of many applications.
> > 
> > The --save-mark/--restore-mark options to CONNMARK should be seen as a 
> > bonus. It is not the main purpose of CONNMARK. The main purpose of 
> > CONNMARK is to act as a connection oriented state memory, allowing you to 
> > remember an earlier decision about something on later packets in the same 
> > session.
> > 
> > > But an issue occurs, when we want to set 2 different marks for a single
> > > session in two directions.
> > 
> > Then you need to structure the use of CONNMARK differently, and depending 
> > on the direction set different marks.
> > 
> > > When doing QoS control as an router between two or more interfaces,
> > > bi-directional control is neccessary. Since nfmark is the most
> > > convenient way to classify packet, should we extend CONNMARK to support
> > > two marks?
> > 
> > If it helps you in reducing your ruleset, why not? Adjusting the tools to 
> > your needs is one of the cornerstones of using Open Source software.
> > 
> > But I don't think it is generally suitable for CONNMARK.
> > 
> > Regards
> > Henrik
> 
> 
> 
> -- 
>   lark
> 



-- 
  lark

Re: Re[2]: bidirectional CONNMARK?

[Jesse Peng]

Dear Jian
     I need to get my boss for approving,as you know,it's currently on
production use since late 2004.


----- Original Message -----
From: "Wang Jian" <lark@linux.net.cn>
To: "Henrik Nordstrom" <hno@marasystems.com>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Wednesday, March 09, 2005 5:54 PM
Subject: Re[2]: bidirectional CONNMARK?


> Hi Henrik Nordstrom,
>
> Below is a test script, which uses mark/mask to do bi-directional
> control. I just craft it and haven't test it yet. (Need to compile a new
> iptables in the test bed, later)
>
> Jesse <jesse@deansoft.com.tw> tells me off-list that he has a CTDIRMARK
> target based on CONNMARK. Looking forward to his code for easier use.
>
>
> --snip--
> #!/bin/sh
>
> CLEAR="iptables -F PREROUTING -t mangle"
> IPT="iptables -A PREROUTING -t mangle"
> IPTIN="iptables -A INBOUND -t mangle"
> IPTOUT="iptables -A OUTBOUND -t mangle"
>
> $CLEAR
>
> iptables -N INBOUND -t mangle
> iptables -N OUTBOUND -t mangle
>
> # Start
> $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 \
>         -j CONNMARK --restore-mark --mask 0x7FFF0000
> $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 -j RETURN
>
> $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 \
>         -j CONNMARK --restore-mark --mark 0x00007FFF
> $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 -j RETURN
>
> # End with default to prevent rule traversal
> $IPT -i eth1 -j INBOUND
> $IPT -i eth1 -m connmark --mark ! 0x80000000/0x80000000 \
>         -j CONNMARK --set-mark  0x80000000/0x8FFF0000
> $IPT -i eth1 -j RETURN
>
> $IPT -i eth0 -j OUTBOUND
> $IPT -i eth0 -m connmark --mark ! 0x00008000/0x00008000 \
>         -j CONNMARK --set-mark  0x00008000/0x00008FFF
> $IPT -i eth0 -j RETURN
>
> # Classes
> $IPTOUT -p tcp --sport 80 -j CONNMARK --set-mark 0x80030000/0xFFFF0000
> $IPTOUT -p tcp --sport 80 -j RETURN
>
>
>
> On Wed, 9 Mar 2005 10:24:50 +0100 (CET), Henrik Nordstrom
<hno@marasystems.com> wrote:
>
> > On Wed, 9 Mar 2005, Wang Jian wrote:
> >
> > > What is the CONNMARK's purpose?
> >
> > To act as a decision memory on the connection. What you use this memory
> > for is up to you.
> >
> > > I think it is to reduce rule traversal,
> >
> > This is one of many applications.
> >
> > The --save-mark/--restore-mark options to CONNMARK should be seen as a
> > bonus. It is not the main purpose of CONNMARK. The main purpose of
> > CONNMARK is to act as a connection oriented state memory, allowing you
to
> > remember an earlier decision about something on later packets in the
same
> > session.
Henrik,you forget to mention the real power is biding the policy for control
session to its data session(ftp like protocol
,need helper engineered).

> >
> > > But an issue occurs, when we want to set 2 different marks for a
single
> > > session in two directions.
> >
> > Then you need to structure the use of CONNMARK differently, and
depending
> > on the direction set different marks.

This doesn't work for a single session.Say,if you want packets in original
dir be classified as 0x01 mark,
but packets in reply dir be classifid as 0x02 mark.But as CTDIRMARK
applied,things can be easily done.


> >
> > > When doing QoS control as an router between two or more interfaces,
> > > bi-directional control is neccessary. Since nfmark is the most
> > > convenient way to classify packet, should we extend CONNMARK to
support
> > > two marks?
> >
> > If it helps you in reducing your ruleset, why not? Adjusting the tools
to
> > your needs is one of the cornerstones of using Open Source software.
> >
> > But I don't think it is generally suitable for CONNMARK.
> >
> > Regards
> > Henrik
>
>
>
> --
>   lark
>

Re[4]: bidirectional CONNMARK?

[Wang Jian]

Hi Jesse Peng,

No problem :) I will write a target based on CONNMARK myself.

On Thu, 10 Mar 2005 13:04:33 +0800, "Jesse Peng" <jesse@deansoft.com.tw> wrote:

> Dear Jian
>      I need to get my boss for approving,as you know,it's currently on
> production use since late 2004.
> 
> 
> ----- Original Message -----
> From: "Wang Jian" <lark@linux.net.cn>
> To: "Henrik Nordstrom" <hno@marasystems.com>
> Cc: <netfilter-devel@lists.netfilter.org>
> Sent: Wednesday, March 09, 2005 5:54 PM
> Subject: Re[2]: bidirectional CONNMARK?
> 
> 
> > Hi Henrik Nordstrom,
> >
> > Below is a test script, which uses mark/mask to do bi-directional
> > control. I just craft it and haven't test it yet. (Need to compile a new
> > iptables in the test bed, later)
> >
> > Jesse <jesse@deansoft.com.tw> tells me off-list that he has a CTDIRMARK
> > target based on CONNMARK. Looking forward to his code for easier use.
> >
> >
> > --snip--
> > #!/bin/sh
> >
> > CLEAR="iptables -F PREROUTING -t mangle"
> > IPT="iptables -A PREROUTING -t mangle"
> > IPTIN="iptables -A INBOUND -t mangle"
> > IPTOUT="iptables -A OUTBOUND -t mangle"
> >
> > $CLEAR
> >
> > iptables -N INBOUND -t mangle
> > iptables -N OUTBOUND -t mangle
> >
> > # Start
> > $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 \
> >         -j CONNMARK --restore-mark --mask 0x7FFF0000
> > $IPT -i eth1 -m connmark --mark 0x80000000/0x80000000 -j RETURN
> >
> > $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 \
> >         -j CONNMARK --restore-mark --mark 0x00007FFF
> > $IPT -i eth0 -m connmark --mark 0x00008000/0x00008000 -j RETURN
> >
> > # End with default to prevent rule traversal
> > $IPT -i eth1 -j INBOUND
> > $IPT -i eth1 -m connmark --mark ! 0x80000000/0x80000000 \
> >         -j CONNMARK --set-mark  0x80000000/0x8FFF0000
> > $IPT -i eth1 -j RETURN
> >
> > $IPT -i eth0 -j OUTBOUND
> > $IPT -i eth0 -m connmark --mark ! 0x00008000/0x00008000 \
> >         -j CONNMARK --set-mark  0x00008000/0x00008FFF
> > $IPT -i eth0 -j RETURN
> >
> > # Classes
> > $IPTOUT -p tcp --sport 80 -j CONNMARK --set-mark 0x80030000/0xFFFF0000
> > $IPTOUT -p tcp --sport 80 -j RETURN
> >
> >
> >
> > On Wed, 9 Mar 2005 10:24:50 +0100 (CET), Henrik Nordstrom
> <hno@marasystems.com> wrote:
> >
> > > On Wed, 9 Mar 2005, Wang Jian wrote:
> > >
> > > > What is the CONNMARK's purpose?
> > >
> > > To act as a decision memory on the connection. What you use this memory
> > > for is up to you.
> > >
> > > > I think it is to reduce rule traversal,
> > >
> > > This is one of many applications.
> > >
> > > The --save-mark/--restore-mark options to CONNMARK should be seen as a
> > > bonus. It is not the main purpose of CONNMARK. The main purpose of
> > > CONNMARK is to act as a connection oriented state memory, allowing you
> to
> > > remember an earlier decision about something on later packets in the
> same
> > > session.
> Henrik,you forget to mention the real power is biding the policy for control
> session to its data session(ftp like protocol
> ,need helper engineered).
> 
> > >
> > > > But an issue occurs, when we want to set 2 different marks for a
> single
> > > > session in two directions.
> > >
> > > Then you need to structure the use of CONNMARK differently, and
> depending
> > > on the direction set different marks.
> 
> This doesn't work for a single session.Say,if you want packets in original
> dir be classified as 0x01 mark,
> but packets in reply dir be classifid as 0x02 mark.But as CTDIRMARK
> applied,things can be easily done.
> 
> 
> > >
> > > > When doing QoS control as an router between two or more interfaces,
> > > > bi-directional control is neccessary. Since nfmark is the most
> > > > convenient way to classify packet, should we extend CONNMARK to
> support
> > > > two marks?
> > >
> > > If it helps you in reducing your ruleset, why not? Adjusting the tools
> to
> > > your needs is one of the cornerstones of using Open Source software.
> > >
> > > But I don't think it is generally suitable for CONNMARK.
> > >
> > > Regards
> > > Henrik
> >
> >
> >
> > --
> >   lark
> >



-- 
  lark

Re: Re[4]: bidirectional CONNMARK?

[Jesse Peng]

Dear Jian:
Sorry,as you know,I am at a commercial firm,everything need approving.Please
notice 2 places:
1.in ip_conntrack.h,you need add your bidirection structure for containing
your 2 marks for 1 session.
2.in ip_conntrack_core.c,just adjacent to Henric's patch,you need to add how
you move the expectant's marks to its expected.

----- Original Message -----
From: "Wang Jian" <lark@linux.net.cn>
To: "Jesse Peng" <jesse@deansoft.com.tw>;
<netfilter-devel@lists.netfilter.org>
Sent: Thursday, March 10, 2005 2:49 PM
Subject: Re[4]: bidirectional CONNMARK?


> Hi Jesse Peng,
>
> No problem :) I will write a target based on CONNMARK myself.
>
> On Thu, 10 Mar 2005 13:04:33 +0800, "Jesse Peng" <jesse@deansoft.com.tw>
wrote:
>
> > Dear Jian
> >      I need to get my boss for approving,as you know,it's currently on
> > production use since late 2004.
> >
> >
> > ----- Original Message -----
> > From: "Wang Jian" <lark@linux.net.cn>
> > To: "Henrik Nordstrom" <hno@marasystems.com>
> > Cc: <netfilter-devel@lists.netfilter.org>
> > Sent: Wednesday, March 09, 2005 5:54 PM
> > Subject: Re[2]: bidirectional CONNMARK?
> >
> >
> > > Hi Henrik Nordstrom,
> > >
> > > Below is a test script, which uses mark/mask to do bi-directional
> > > control. I just craft it and haven't test it yet. (Need to compile a
new
> > > iptables in the test bed, later)
> > >
> > > Jesse <jesse@deansoft.com.tw> tells me off-list that he has a
CTDIRMARK
> > > target based on CONNMARK. Looking forward to his code for easier use.
> > >
> > >

Re: Re[2]: bidirectional CONNMARK?

[Henrik Nordstrom]

On Thu, 10 Mar 2005, Jesse Peng wrote:

>>> Then you need to structure the use of CONNMARK differently, and
> depending
>>> on the direction set different marks.
>
> This doesn't work for a single session.Say,if you want packets in original
> dir be classified as 0x01 mark,
> but packets in reply dir be classifid as 0x02 mark.But as CTDIRMARK
> applied,things can be easily done.

What I meant here is to not use CONNMARK to direcly specify the nfmark of 
the packets, but the class of the session and from this derive what the 
mark should be.

Or another method, as Wang Jian already mentioned is to mask the CONNMARK 
when restoring it into the packet, allowing you to for example specify the 
nfmark 0x01 in one direction and 0x0200 in the other. There is 32 bits to 
play with.

Regards
Henrik

Re: Re[2]: bidirectional CONNMARK?

[Jesse Peng]

----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: "Jesse Peng" <jesse@deansoft.com.tw>
Cc: "Wang Jian" <lark@linux.net.cn>; <netfilter-devel@lists.netfilter.org>
Sent: Thursday, March 10, 2005 5:59 PM
Subject: Re: Re[2]: bidirectional CONNMARK?


> On Thu, 10 Mar 2005, Jesse Peng wrote:
>
> >>> Then you need to structure the use of CONNMARK differently, and
> > depending
> >>> on the direction set different marks.
> >
> > This doesn't work for a single session.Say,if you want packets in
original
> > dir be classified as 0x01 mark,
> > but packets in reply dir be classifid as 0x02 mark.But as CTDIRMARK
> > applied,things can be easily done.
>
> What I meant here is to not use CONNMARK to direcly specify the nfmark of
> the packets, but the class of the session and from this derive what the
> mark should be.
>
> Or another method, as Wang Jian already mentioned is to mask the CONNMARK
> when restoring it into the packet, allowing you to for example specify the
> nfmark 0x01 in one direction and 0x0200 in the other. There is 32 bits to
> play with.
>
As things getting complicated,you don't want your whole design plan fooled
by the mask.
But I'd admit I never come out any idea concerning the mask,you win...hmm..

> Regards
> Henrik