On Mon, 2011-06-06 at 06:44 -0700, Maciej Åenczykowski wrote: > > The mask indicates the bits one wants to zero out, so it needs to be > > inverted before applying to the original TOS field. > > Uhm, does it? Yes. > (mind you I haven't looked at the documentation of the feature, but > I'm still pretty sure the right fix here is to change the docs, not > the functionality) You should read the documentation. What is more if you check the IPv4 implementation you will see that it is doing the right thing and inverting the mask before applying the logical and to it. This bug went unnoticed for so long (in fact it has been broken since day one) because IPv6 packets being mangled tend to have their DSCP field zeroed out (it used to be random before 4319cc0cf5bb894b7368008cdf6dd20eb8868018 - netfilter: IPv6: initialize TOS field in REJECT target module). - Fernando -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html