From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bill Chappell Subject: MARK - set with mask or read, add, set??? Date: Thu, 24 Jul 2003 18:52:37 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F206334.1F44B7F1@borg.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------CC055BE056B322A30C53E8B1" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org --------------CC055BE056B322A30C53E8B1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Condensed version - I need to share the nfmark with > another developer on the same packet, where I use the > high-order 8 bits and she can have the low-order 24 bits. > Problem is that -j MARK --set-mark writes one unsigned > integer so I would wipe out her nfmark and vice versa. > > I have successfully used a mask in a mark match: > iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000 > and had the packets flow as desired. > > It was not documented that a mask would work with > -j MARK --set-mark /, but I tried > anyway. > I used = 0xFF000000 (which does work by itself) > with = 0xFF000000 and = 0xFFFFFFFF > with = 0xFF000000 and got the error message: > "Bad MARK value `/' > > I could read the existing nfmark, add the second one, and set > the summed nfmark, but I do not see any way to read an nfmark > in iptables. > > I do see a solution using the mark match to identify the current > nfmark/mask (one rule for each possible nfmark) with the new nfmark > equal to the sum of the matching nfmark/mask and the nfmark > of the second use, but that gets clunky very quickly as the number > of possible nfmarks increases and it forces each use to know > which nfmarks the other is using (== reduced modularity). > > Any help would be greatly appreciated and attributed in the project. > > Thank you. > > Bill Chappell > > > > > -- > William Chappell, Software Engineer, Critical Technologies, Inc. > Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501 > 315-793-0248 x148 < bill.chappell@critical.com > www.critical.com > --------------CC055BE056B322A30C53E8B1 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
Condensed version - I need to share the nfmark with
another developer on the same packet, where I use the
high-order 8 bits and she can have the low-order 24 bits.
Problem is that -j MARK --set-mark writes one unsigned
integer so I would wipe out her nfmark and vice versa.

I have successfully used a mask in a mark match:
iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
and had the packets flow as desired.

It was not documented that a mask would work with
-j MARK --set-mark <number>/<mask>, but I tried
anyway.
I used <number> = 0xFF000000 (which does work by itself)
with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
with <mask> = 0xFF000000 and got the error message:
"Bad MARK value `<number>/<mask>'

I could read the existing nfmark, add the second one, and set
the summed nfmark, but I do not see any way to read an nfmark
in iptables.

I do see a solution using the mark match to identify the current
nfmark/mask (one rule for each possible nfmark) with the new nfmark
equal to the sum of the matching nfmark/mask and the nfmark
of the second use, but that gets clunky very quickly as the number
of possible nfmarks increases and it forces each use to know
which nfmarks the other is using (== reduced modularity).

Any help would be greatly appreciated and attributed in the project.

Thank you.

Bill Chappell
 
 
  

-- 
William Chappell,     Software Engineer,     Critical Technologies, Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com
--------------CC055BE056B322A30C53E8B1-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bill Chappell Subject: MARK - set with mask or read, add, set??? Date: Thu, 24 Jul 2003 18:48:45 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F20624D.186126FF@critical.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------BB411AE675A6E3779633BD13" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org --------------BB411AE675A6E3779633BD13 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Condensed version - I need to share the nfmark with another developer on the same packet, where I use the high-order 8 bits and she can have the low-order 24 bits. Problem is that -j MARK --set-mark writes one unsigned integer so I would wipe out her nfmark and vice versa. I have successfully used a mask in a mark match: iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000 and had the packets flow as desired. It was not documented that a mask would work with -j MARK --set-mark /, but I tried anyway. I used = 0xFF000000 (which does work by itself) with = 0xFF000000 and = 0xFFFFFFFF with = 0xFF000000 and got the error message: "Bad MARK value `/' I could read the existing nfmark, add the second one, and set the summed nfmark, but I do not see any way to read an nfmark in iptables. I do see a solution using the mark match to identify the current nfmark/mask (one rule for each possible nfmark) with the new nfmark equal to the sum of the matching nfmark/mask and the nfmark of the second use, but that gets clunky very quickly as the number of possible nfmarks increases and it forces each use to know which nfmarks the other is using (== reduced modularity). Any help would be greatly appreciated and attributed in the project. Thank you. Bill Chappell -- William Chappell, Software Engineer, Critical Technologies, Inc. Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501 315-793-0248 x148 < bill.chappell@critical.com > www.critical.com --------------BB411AE675A6E3779633BD13 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Condensed version - I need to share the nfmark with
another developer on the same packet, where I use the
high-order 8 bits and she can have the low-order 24 bits.
Problem is that -j MARK --set-mark writes one unsigned
integer so I would wipe out her nfmark and vice versa.

I have successfully used a mask in a mark match:
iptables -t nat -A mychain -m mark --mark $mymark/0xFF000000
and had the packets flow as desired.

It was not documented that a mask would work with
-j MARK --set-mark <number>/<mask>, but I tried
anyway.
I used <number> = 0xFF000000 (which does work by itself)
with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
with <mask> = 0xFF000000 and got the error message:
"Bad MARK value `<number>/<mask>'

I could read the existing nfmark, add the second one, and set
the summed nfmark, but I do not see any way to read an nfmark
in iptables.

I do see a solution using the mark match to identify the current
nfmark/mask (one rule for each possible nfmark) with the new nfmark
equal to the sum of the matching nfmark/mask and the nfmark
of the second use, but that gets clunky very quickly as the number
of possible nfmarks increases and it forces each use to know
which nfmarks the other is using (== reduced modularity).

Any help would be greatly appreciated and attributed in the project.

Thank you.

Bill Chappell
 
 
  

-- 
William Chappell,     Software Engineer,     Critical Technologies, Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501
315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com
  --------------BB411AE675A6E3779633BD13--