Hy Vytas, On Wed, 20 Nov 2013, Vytas Dauksa wrote: > The intended use is similar to the ip:port type, but for protocols which don't use > a predictable port number. Instead of port number it matches a firewall mark > determined by a layer 7 filtering program like opendpi, which will be called > by an earlier iptables rule. OK, I see. > I wasn't sure if it's best to set mark on individual entry within a set or for > whole set with or without mask. > What are your views on it? For now it's set on individual entries without mask. I think mark value and mask pair per element would be more useful and flexible than a mark value alone. The "mark" match uses value[/mask], so the same should be used here too. There's one thing I spotted in your patch, in both *_uadt function: + e.mark = htonl(nla_get_u32(tb[IPSET_ATTR_MARK])); The value is passed in network order back and forth, so it should be at both places: + e.mark = ntohl(nla_get_u32(tb[IPSET_ATTR_MARK])); Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
