TOS target mask - leave alone the ECN bits

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* TOS target mask - leave alone the ECN bits
@ 2013-11-10 11:53 Patrick Schaaf
  2013-11-11  7:31 ` Jan Engelhardt
  0 siblings, 1 reply; 2+ messages in thread
From: Patrick Schaaf @ 2013-11-10 11:53 UTC (permalink / raw)
  To: netfilter-devel

Dear netfilter developers,

I'm stumbling over a confusion, maybe just mine, regarding the use of the mask 
value of the TOS target in order to avoid messing with the ECN bits within. 

I thought I understood the issue, starting to use, for example:

	-j TOS --set-tos 0x0c/0xfc

which should result in A) leaving ECN alone and B) set the DSCP bits to 
000011, the first "reserved for local use" value.

The confusion I'd like to clear up with this mail, is that googling around to 
confirm my understanding, I found the following text in my iptables-extensions 
manual page for the tos _match_ --tos option:

	... Note that this implies a mask of 0x3F, i.e. all but the ECN bits.

Is my understanding wrong, should I use --set-tos 0x03/0x3f instead for the 
example above? Or is the manpage wrong?

best regards
  Patrick

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: TOS target mask - leave alone the ECN bits
  2013-11-10 11:53 TOS target mask - leave alone the ECN bits Patrick Schaaf
@ 2013-11-11  7:31 ` Jan Engelhardt
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2013-11-11  7:31 UTC (permalink / raw)
  To: Patrick Schaaf; +Cc: netfilter-devel


On Sunday 2013-11-10 12:53, Patrick Schaaf wrote:
>
>I'm stumbling over a confusion, maybe just mine, regarding the use of the mask 
>value of the TOS target in order to avoid messing with the ECN bits within. 
>
>	-j TOS --set-tos 0x0c/0xfc
>
>which should result in A) leaving ECN alone and B) set the DSCP bits to 
>000011, the first "reserved for local use" value.

RFCs have the bit order reversed in their diagrams, which is…
unusual, but at least properly documented. It spells out: "bits 6 and
7 in the IPv4 TOS octet are designed as the ECN field". The keeper
mask is therefore 0xc0, and the equivalent clearing mask is 0x3f
(not 0xfc).


In the user interface, clearing masks are a must-have for bit
manipulation[1] targets, do not fall under "bit manipulation"), and
keeper masks are a must-have for bit tests. This is because they are
easiest to use for each case.
Lemma: Look at some C code. You will find

	void paint(animal *a) {
		if (a->type & HORSE) {
			a->type &= ~HORSE;
			a->type |= ZEBRA;
		}
	}

rather than

	if (foo & ~(DONKEY | HORSE | ZEBRA | MULE | ZULE | ZORSE)) {
		foo &= DONKEY | HORSE | ZEBRA | MULE | ZULE | ZORSE;
		foo |= ZEBRA;
	}

for the same reason.

[1] While many targets do some bit manipulation on the packet,
the UI does not expose it as such. For example, NAT uses IP
addresses rather than raw bits.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-11-11  7:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-10 11:53 TOS target mask - leave alone the ECN bits Patrick Schaaf
2013-11-11  7:31 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).