Some questions about "-set-xmark" in iptables

Question

Some questions about "-set-xmark" in iptables

I have a rule:

-A PREROUTING -d 10.228.20.15/32 -p tcp -m tcp --dport 80--tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x70/0xffffffff

The male doc explains --set-xmarkas shown below:

Extract the bits specified by the mask and XOR value into ctmark.

English is not my native language. Can someone help explain what value will be set in ctmark? What does zero mean? Take an example to be appreciated.

+3

linux iptables netfilter

harlan Feb 25 '14 at 2:27

source share

1 answer

isedev · Answer 1 · 2014-02-25T02:39:01+0000

So the syntax is --set-xmark value/mask. Resulting operation:

ctmark = (ctmark AND NOT mask) XOR value

Zero-out matches (ctmark AND NOT mask): if bit in is maskset, then the corresponding bit in ctmarkwill be zero (before XOR).

The man page also states:

--and-mark bits
    Binary AND the  ctmark  with  bits.  (Mnemonic  for  --set-xmark
    0/invbits, where invbits is the binary negation of bits.)

--or-mark bits
    Binary  OR  the  ctmark  with  bits.  (Mnemonic  for --set-xmark
    bits/bits.)

--xor-mark bits
    Binary XOR the  ctmark  with  bits.  (Mnemonic  for  --set-xmark
    bits/0.)

You can check the action above regarding these definitions:

--and-mark bits == --set-xmark 0/invbits
     ctmark AND bits = (ctmark AND NOT invbits) XOR 0
     -> bits = NOT invbits
     -> anything XOR 0 = anything
     so: ctmark AND bits = ctmark AND NOT NOT bits = ctmark AND bits

--or-mark bits == --set-mark bits/bits
     ctmark OR bits = (ctmark AND NOT bits) XOR bits
     -> should be obvious based on boolean logic

--xor-mark bits == -set-mark bits/0
     ctmark XOR bits = (ctmark AND NOT 0) XOR bits
     -> anything AND NOT 0 = anything

Some questions about "-set-xmark" in iptables

More articles: