Hi, I have been playing quite a bit with iptables lately. Ever since the ipset was updated to support hash:ip,mark sets, there has been the potential to apply efficient matching on packet marks. Does it make any sense to you to develop a new extension that following U32 and MARK syntax would allow us to read a 32bit value and load it onto the packet mark ? To make it even more versatile we could support masking when dumping the value in the packet mark.
The aim is to support very efficient packet matching/classification on any 32 bit field/region of any potential higher level protocol. For example, read 4 bytes starting at offset 28 of the IP packet (first 4 bytes of the UDP payload), apply a mask of 0xF00F and use that result as the packet mark with mask value 0xFFFF iptables –A FORWARD -p udp --m udp --dport 12345 -j U32MARK --set-mark "28&0xF00F/0xFFFF" Best, Jesus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
