[PATCH iproute2] man: tc-fw: Document masked handle usage

[PATCH iproute2] man: tc-fw: Document masked handle usage

[Ido Schimmel]

The tc-fw filter can be used to match on the packet's fwmark by adding a
filter with a matching handle. It also supports matching on specific
bits of the fwmark by specifying the handle together with a mask. This
is documented in the usage message below, but not in the man page.

Document it in the man page together with an example.

 $ tc filter add fw help
 Usage: ... fw [ classid CLASSID ] [ indev DEV ] [ action ACTION_SPEC ]
         CLASSID := Push matching packets to the class identified by CLASSID with format X:Y
                 CLASSID is parsed as hexadecimal input.
         DEV := specify device for incoming device classification.
         ACTION_SPEC := Apply an action on matching packets.
         NOTE: handle is represented as HANDLE[/FWMASK].
                 FWMASK is 0xffffffff by default.

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 man/man8/tc-fw.8 | 44 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/man/man8/tc-fw.8 b/man/man8/tc-fw.8
index 711e128f1d0a..589505aefb2e 100644
--- a/man/man8/tc-fw.8
+++ b/man/man8/tc-fw.8
@@ -14,9 +14,15 @@ the
 .B fw
 filter allows one to classify packets based on a previously set
 .BR fwmark " by " iptables .
-If it is identical to the filter's
+If the masked value of the
+.B fwmark
+matches the filter's masked
 .BR handle ,
-the filter matches.
+the filter matches. By default, all 32 bits of the
+.B handle
+and the
+.B fwmark
+are masked.
 .B iptables
 allows one to mark single packets with the
 .B MARK
@@ -60,7 +66,39 @@ statement marking packets coming in on eth0:
 iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6
 .EE
 .RE
+
+Specific bits of the packet's
+.B fwmark
+can be set using the
+.B skbedit
+action. For example, to only set one bit of the
+.B fwmark
+without changing any other bit:
+
+.RS
+.EX
+tc filter add ... action skbedit mark 0x8/0x8
+.EE
+.RE
+
+The
+.B fw
+filter can then be used to match on this bit by masking the
+.B handle:
+
+.RS
+.EX
+tc filter add ... handle 0x8/0x8 fw action drop
+.EE
+.RE
+
+This is useful when different bits of the
+.B fwmark
+are assigned different meanings.
+.EE
+.RE
 .SH SEE ALSO
 .BR tc (8),
 .BR iptables (8),
-.BR iptables-extensions (8)
+.BR iptables-extensions (8),
+.BR tc-skbedit (8)
-- 
2.36.1

Re: [PATCH iproute2] man: tc-fw: Document masked handle usage

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to iproute2/iproute2-next.git (main)
by David Ahern <dsahern@kernel.org>:

On Tue, 14 Jun 2022 17:26:57 +0300 you wrote:
> The tc-fw filter can be used to match on the packet's fwmark by adding a
> filter with a matching handle. It also supports matching on specific
> bits of the fwmark by specifying the handle together with a mask. This
> is documented in the usage message below, but not in the man page.
> 
> Document it in the man page together with an example.
> 
> [...]

Here is the summary with links:
  - [iproute2] man: tc-fw: Document masked handle usage
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=bfffaf136091

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html