bidirectional CONNMARK?
Wang Jian
lark at linux.net.cn
Wed Mar 9 06:26:19 CET 2005
Hi folks,
What is the CONNMARK's purpose? I think it is to reduce rule traversal,
like this:
# iptables -A PREROUTING -t mangle \
-m connmark --mark 0xEF000000/0xFF000000 -j CONNMARK --restore-mark
# iptables -A PREROUTING -t mangle <matching rule 1-1> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 1-2> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 1-3> -j CONNMARK --set-mark 0xEF000001
# iptables -A PREROUTING -t mangle <matching rule 2-1> -j CONNMARK --set-mark 0xEF000002
# iptables -A PREROUTING -t mangle <matching rule 3-1> -j CONNMARK --set-mark 0xEF000003
<snip a lot of rules>
But an issue occurs, when we want to set 2 different marks for a single
session in two directions.
When doing QoS control as an router between two or more interfaces,
bi-directional control is neccessary. Since nfmark is the most
convenient way to classify packet, should we extend CONNMARK to support
two marks?
Comment on this issue is welcome.
If it is a good idea, I will provide a patch for it.
--
lark
More information about the netfilter-devel
mailing list