On 2019-10-24, at 02:12:05 +1100, Duncan Roe wrote: > Just this morning I was going to get back into libnetfilter_queue > documentation, starting with the other 2 verdict helpers. > > But I ran into a conundrum with nfq_nlmsg_verdict_put_mark (the one I > didn't use). It's a 1-liner (in src/nlmsg.c): > > > 56 mnl_attr_put_u32(nlh, NFQA_MARK, htonl(mark)); > > But examples/nf-queue.c has an example to set the connmark which > doesn't use nfq_nlmsg_verdict_put_mark() > > Instead it has this line: > > > 52 mnl_attr_put_u32(nlh, CTA_MARK, htonl(42)); > > The trouble is, NFQA_MARK *is different from* CTA_MARK. NFQA_MARK is > 3, while CTA_MARK is 8. > > At this point, I felt I did not understand the software well enough to > be able to document it further. If you could shed some light on this > apparent disrcepancy, it might restore my self-confidence sufficiently > that I can continue documenting. `NFQA_MARK` is used for setting the `nfmark`; `CTA_MARK` is used for setting the `ctmark`. Here are the relevant stanzas from the NF Kconfig: config NETFILTER_XT_MARK tristate 'nfmark target and match support' default m if NETFILTER_ADVANCED=n ---help--- This option adds the "MARK" target and "mark" match. Netfilter mark matching allows you to match packets based on the "nfmark" value in the packet. The target allows you to create rules in the "mangle" table which alter the netfilter mark (nfmark) field associated with the packet. Prior to routing, the nfmark can influence the routing method and can also be used by other subsystems to change their behavior. config NETFILTER_XT_CONNMARK tristate 'ctmark target and match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK ---help--- This option adds the "CONNMARK" target and "connmark" match. Netfilter allows you to store a mark value per connection (a.k.a. ctmark), similarly to the packet mark (nfmark). Using this target and match, you can set and match on this mark. `nfq_nlmsg_verdict_put_mark` sets an `nfmark` whereas the example is setting a `ctmark`. J.