That did the trick. Both MARK and CONNMARK are working like expected.
--------------------------------------------------
From: "Patrick McHardy" <kaber@xxxxxxxxx>
Sent: Monday, January 12, 2009 9:19 AM
To: "Nikolay S. Rybalov" <nowhere@xxxxxxxxxxxxxxxx>
Cc: <netfilter@xxxxxxxxxxxxxxx>; "Netfilter Development Mailinglist"
<netfilter-devel@xxxxxxxxxxxxxxx>; "Jan Engelhardt" <jengelh@xxxxxxxxxx>
Subject: Re: Troubles with MARK target in 2.6.28
Nikolay S. Rybalov wrote:
Hi all,
I have troubles with "-j MARK --set-xmark" combination in mangle table.
Particulary, I want set one bit in nf mark by means, say, --set-xmark
0x10/0x10, and it worked in kernels from at least 2.6.24 up to the last
in 2.6.27.
I use: iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.37.0/24 -j
MARK --set-xmark 0x10/0x10
and get:
iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.
When I try --or-mark, iptables says that my "kernel too old
for --or-mark"
Same thing happens with -j CONNMARK.
Can someone advise what to do, I really need to set only one bit without
altering the rest of the mark.
Does this patch fix it?
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 89837a4..36cb63b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -289,6 +289,10 @@ static int target_revfn(u8 af, const char *name, u8
revision, int *bestp)
have_rev = 1;
}
}
+
+ if (af != NFPROTO_UNSPEC && !have_rev)
+ return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
return have_rev;
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
