diff options
| author | Ido Schimmel <idosch@nvidia.com> | 2022-06-14 17:26:57 +0300 |
|---|---|---|
| committer | David Ahern <dsahern@kernel.org> | 2022-06-16 12:57:23 -0600 |
| commit | bfffaf1360916a5acc80c96008cb70b038476e00 (patch) | |
| tree | 600da9258d203a880317f650c3f6f93744741a96 | |
| parent | cebf67a35d8aa8945e5aaa409220e1b3c612969c (diff) | |
| download | iproute2-bfffaf1360916a5acc80c96008cb70b038476e00.tar.gz | |
man: tc-fw: Document masked handle usage
The tc-fw filter can be used to match on the packet's fwmark by adding a
filter with a matching handle. It also supports matching on specific
bits of the fwmark by specifying the handle together with a mask. This
is documented in the usage message below, but not in the man page.
Document it in the man page together with an example.
$ tc filter add fw help
Usage: ... fw [ classid CLASSID ] [ indev DEV ] [ action ACTION_SPEC ]
CLASSID := Push matching packets to the class identified by CLASSID with format X:Y
CLASSID is parsed as hexadecimal input.
DEV := specify device for incoming device classification.
ACTION_SPEC := Apply an action on matching packets.
NOTE: handle is represented as HANDLE[/FWMASK].
FWMASK is 0xffffffff by default.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
| -rw-r--r-- | man/man8/tc-fw.8 | 44 |
1 files changed, 41 insertions, 3 deletions
diff --git a/man/man8/tc-fw.8 b/man/man8/tc-fw.8 index 711e128f1..589505aef 100644 --- a/man/man8/tc-fw.8 +++ b/man/man8/tc-fw.8 @@ -14,9 +14,15 @@ the .B fw filter allows one to classify packets based on a previously set .BR fwmark " by " iptables . -If it is identical to the filter's +If the masked value of the +.B fwmark +matches the filter's masked .BR handle , -the filter matches. +the filter matches. By default, all 32 bits of the +.B handle +and the +.B fwmark +are masked. .B iptables allows one to mark single packets with the .B MARK @@ -60,7 +66,39 @@ statement marking packets coming in on eth0: iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6 .EE .RE + +Specific bits of the packet's +.B fwmark +can be set using the +.B skbedit +action. For example, to only set one bit of the +.B fwmark +without changing any other bit: + +.RS +.EX +tc filter add ... action skbedit mark 0x8/0x8 +.EE +.RE + +The +.B fw +filter can then be used to match on this bit by masking the +.B handle: + +.RS +.EX +tc filter add ... handle 0x8/0x8 fw action drop +.EE +.RE + +This is useful when different bits of the +.B fwmark +are assigned different meanings. +.EE +.RE .SH SEE ALSO .BR tc (8), .BR iptables (8), -.BR iptables-extensions (8) +.BR iptables-extensions (8), +.BR tc-skbedit (8) |