> Condensed version - I need to share the nfmark with
> another developer on the same packet, where I use the
> high-order 8 bits and she can have the low-order 24 bits.
> Problem is that -j MARK --set-mark writes one unsigned
> integer so I would wipe out her nfmark and vice versa.
>
> I have successfully used a mask in a mark match:
> iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
> and had the packets flow as desired.
>
> It was not documented that a mask would work with
> -j MARK --set-mark <number>/<mask>, but I tried
> anyway.
> I used <number> = 0xFF000000 (which does work by itself)
> with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
> with <mask> = 0xFF000000 and got the error message:
> "Bad MARK value `<number>/<mask>'
>
> I could read the existing nfmark, add the second one, and set
> the summed nfmark, but I do not see any way to read an nfmark
> in iptables.
>
> I do see a solution using the mark match to identify the current
> nfmark/mask (one rule for each possible nfmark) with the new nfmark
> equal to the sum of the matching nfmark/mask and the nfmark
> of the second use, but that gets clunky very quickly as the number
> of possible nfmarks increases and it forces each use to know
> which nfmarks the other is using (== reduced modularity).
>
> Any help would be greatly appreciated and attributed in the project.
>
> Thank you.
>
> Bill Chappell
>
>
>
>
> --
> William Chappell,     Software Engineer,     Critical Technologies, Inc.
> Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
> 315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com
>