MARK - set with mask or read, add, set???

MARK - set with mask or read, add, set???

[Bill Chappell]

[-- Attachment #1: Type: text/plain, Size: 1563 bytes --]

Condensed version - I need to share the nfmark with
another developer on the same packet, where I use the
high-order 8 bits and she can have the low-order 24 bits.
Problem is that -j MARK --set-mark writes one unsigned
integer so I would wipe out her nfmark and vice versa.

I have successfully used a mask in a mark match:
iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
and had the packets flow as desired.

It was not documented that a mask would work with
-j MARK --set-mark <number>/<mask>, but I tried
anyway.
I used <number> = 0xFF000000 (which does work by itself)
with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
with <mask> = 0xFF000000 and got the error message:
"Bad MARK value `<number>/<mask>'

I could read the existing nfmark, add the second one, and set
the summed nfmark, but I do not see any way to read an nfmark
in iptables.

I do see a solution using the mark match to identify the current
nfmark/mask (one rule for each possible nfmark) with the new nfmark
equal to the sum of the matching nfmark/mask and the nfmark
of the second use, but that gets clunky very quickly as the number
of possible nfmarks increases and it forces each use to know
which nfmarks the other is using (== reduced modularity).

Any help would be greatly appreciated and attributed in the project.

Thank you.

Bill Chappell




--
William Chappell,     Software Engineer,     Critical Technologies, Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com



[-- Attachment #2: Type: text/html, Size: 1863 bytes --]

MARK - set with mask or read, add, set???

[Bill Chappell]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

> Condensed version - I need to share the nfmark with
> another developer on the same packet, where I use the
> high-order 8 bits and she can have the low-order 24 bits.
> Problem is that -j MARK --set-mark writes one unsigned
> integer so I would wipe out her nfmark and vice versa.
>
> I have successfully used a mask in a mark match:
> iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
> and had the packets flow as desired.
>
> It was not documented that a mask would work with
> -j MARK --set-mark <number>/<mask>, but I tried
> anyway.
> I used <number> = 0xFF000000 (which does work by itself)
> with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
> with <mask> = 0xFF000000 and got the error message:
> "Bad MARK value `<number>/<mask>'
>
> I could read the existing nfmark, add the second one, and set
> the summed nfmark, but I do not see any way to read an nfmark
> in iptables.
>
> I do see a solution using the mark match to identify the current
> nfmark/mask (one rule for each possible nfmark) with the new nfmark
> equal to the sum of the matching nfmark/mask and the nfmark
> of the second use, but that gets clunky very quickly as the number
> of possible nfmarks increases and it forces each use to know
> which nfmarks the other is using (== reduced modularity).
>
> Any help would be greatly appreciated and attributed in the project.
>
> Thank you.
>
> Bill Chappell
>
>
>
>
> --
> William Chappell,     Software Engineer,     Critical Technologies, Inc.
> Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
> 315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com
>

[-- Attachment #2: Type: text/html, Size: 1894 bytes --]