On Sat, 17 Jan 2004, Tom Eastep wrote: > I am very much in favor of the change you propose. The ability to set > individual bits would allow Netfilter configuration tools like Shorewall to > make internal use of packet marking by reserving part of the mark field for > use by the tool and the remainder of the field for use by the user. > > Given that the current MARK target lacks this capability, I am not able to > make effective use of that target in Shorewall. Please note that we are talkning about the CONNMARK target which is quite different from MARK. The two operates on different values. The discussed change will NOT add mask operations to the standard MARK target. If you need mask operations in the standard MARK target then nothing stops you from writing an extended MARK target having mask operations. It is just that it can not be done easily in the standard kernel due to binary compatibility issues. Why there is not a extra class p-o-m patch to add mask capability to MARK I do not know. I am pretty sure the netfilter team would not mind if such patch is submitted, but as indicated above it can not progress beyond "extra" due to the frozen nature of the existing MARK target, at least not unless a different target name is used. It is a pity the iptables match/target interface does not have versioning support of the target/match structures. Maybe 2.7 will.. Regards Henrik - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
