I still think that nexthdr should be fixed, but I'd like to mention that iptables --protocol tcp can do pretty much the same thing. That is, tc filter add dev $1 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x16 at nexthdr+13 flowid 10:3 can be replaced by iptables -A PREROUTING -t mangle -p tcp --syn -j MARK --set-mark 2 tc filter add dev $1 protocol ip parent 10:0 prio 5 handle 2 fw \ classid 10:3 By the way, as far as I see from the doc there's only one mark. It would be useful, I think, to allow access to individual bits, e.g., --set-mark 6 mask 7 to set the lowest 3 bits (And similarly in tc to examine only certain bits.) This would allow you to use different bits for different things. I wonder where I should send this suggestion. Perhaps the right people are reading this list?
