Jack Ma <Jack.Ma@xxxxxxxxxxxxxxxxxxx> wrote: > Our current condition is: > > 1) only 0xfff00000 (three F available in skb->mark), but 0xfffff000 (five F available in ct->mark) > > We wish to copy either 0xfff00000 or 0x00fff000 from ct->mark into skb->mark, > > > What about '-j CONNMARK --restore-mark --mask 0xfffff000 << 8 ( left shift 2 F)' > > This will result in skb->mark = ct->mark << 8 > > if ct->mark = 0xabcde000, now skb->mark is changed to: skb->mark = 0xcde00000. > > Does this make sense :) ? Yes it does. AFAICS with nftables you could already do this but I can understand if you need to use iptables for this. So feel free to send a patch from xt_connmark. Thanks for explaining this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
