Re: MARK vs CLASSIFY with tc

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Wang Jian,

On Wed 06 Apr 2005 17:18, Wang Jian wrote:
> ...
> It depends. You must consider the ruleset size and ruleset pattern.
>
> For a large ruleset. It is not good to let every packet goes through the
> rule and gets matched on some class. Think about 200 rules as an example.
>
> It is better to have some kind of memory on a flow. If first packet of a
> flow is classified as class C1, then it good to remember it and every
> following packet of this flow is classified as class C1.
>
> iptables/netfilter has CONNMARK support, which can be used to remember
> an u32 number, and then set packet's mark from this CONNMARK.
>
> You can use such scheme
>
> # if the flag is set, then restore connmark to mark
> iptables -m connmark --mark value/mask -j CONNMARK --restore-mark --mask
>    mask

Do you know if this mask here is able to match more then one mark? Like if 
say, to mach the marks range from 10000 (0x2710) to 20000 (0x4e20) the above 
will be:

iptables ... -m connmark --mark 0x2710/0xb1df -j CONNMARK --restore-mask 
--mask 0xb1df

where 0xb1df is (65535 XOR 20000). I guess is just XOR not XOR then +1 (this 
will give a mask value of 0xb1e0)  which I saw in some examples (google) of 
using the masking bits.


> # else, do the various match
> iptables <match rule 1> -j CONNMARK --set-mark value/mask
> iptables <match rule 1> -j RETURN
> iptables <match rule 2> -j CONNMARK --set-mark value/mask
> iptables <match rule 2> -j RETURN
>

it makes a lot of sense (have to review a bit the netfilter/iptables docs to 
bring myself up to speed) 


> Using this method, first packet is matched in O(N), but following
> packets are matched in O(1).
>
> So it is good to use iptables CONNMARK + MARK and tc fw filter.
>
> But, if the ruleset is small, the difference should be small. You then
> should choose the better one for you:
>
> 1. netfilter is more flexible;
> 2. tc filter is expected to be a little faster (I am not sure);
>

Thanks a lot,
Adrian
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux