On 04/17/2016 09:41 AM, Justin Pryzby wrote: > Hi All > > I'm trying to understand the difference between shorewall/iptables MARK and > CLASSIFY. As I understand, classify used to be done at the TC layer (not > iptables), but now (can be) done in iptables. Is there some reason to use > MARK/CLASSIFY over the other ?
MARK is Netfilter's 'Swiss Army Knife'. Each packet has a 32-bit integer associated with it and traffic shaping, routing, etc. have the ability to examine a set of bits in that integer and take action accordingly. In the case of Traffic Shaping, a 'classifier' filter is required that examines the mark and if a match is found, then the packet is assigned to the related tc class. Each tc class is identified internally by a pair of hex numbers called a 'class id' (the usual 0x prefix is not written). The CLASSIFY target allows you to specify the class id directly for the class that is to handle the packet. So it is more efficient than using marks because a separate classification filter is not required. HTH, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
