On Sunday 2013-11-10 12:53, Patrick Schaaf wrote: > >I'm stumbling over a confusion, maybe just mine, regarding the use of the mask >value of the TOS target in order to avoid messing with the ECN bits within. > > -j TOS --set-tos 0x0c/0xfc > >which should result in A) leaving ECN alone and B) set the DSCP bits to >000011, the first "reserved for local use" value. RFCs have the bit order reversed in their diagrams, which is… unusual, but at least properly documented. It spells out: "bits 6 and 7 in the IPv4 TOS octet are designed as the ECN field". The keeper mask is therefore 0xc0, and the equivalent clearing mask is 0x3f (not 0xfc). In the user interface, clearing masks are a must-have for bit manipulation[1] targets, do not fall under "bit manipulation"), and keeper masks are a must-have for bit tests. This is because they are easiest to use for each case. Lemma: Look at some C code. You will find void paint(animal *a) { if (a->type & HORSE) { a->type &= ~HORSE; a->type |= ZEBRA; } } rather than if (foo & ~(DONKEY | HORSE | ZEBRA | MULE | ZULE | ZORSE)) { foo &= DONKEY | HORSE | ZEBRA | MULE | ZULE | ZORSE; foo |= ZEBRA; } for the same reason. [1] While many targets do some bit manipulation on the packet, the UI does not expose it as such. For example, NAT uses IP addresses rather than raw bits. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html