diff options
| author | Florian Westphal <fw@strlen.de> | 2011-06-15 14:13:39 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-06-15 14:46:19 +0200 |
| commit | 147ed522f52a62ab0d854ddc443d27d97dbf6cdf (patch) | |
| tree | 4510d641535999044d1698b1adee0b61b878b75a /conntrack.8 | |
| parent | 590f85ac03c4a2f5e7228e3c757b37fd792eb56a (diff) | |
| download | conntrack-tools-147ed522f52a62ab0d854ddc443d27d97dbf6cdf.tar.gz conntrack-tools-147ed522f52a62ab0d854ddc443d27d97dbf6cdf.zip | |
conntrack: add support for mark mask
Extend --mark option to optionally take a mask, seperated
by '/', e.g. --mark 0x80/0xf0.
When used with -L, only test those bits of the mark that
are in the mask range (behaves like iptables like -m mark).
When used with -U, zero out those bits indicated by the mask and
XOR the new mark into the result (behaves like iptables -j MARK
--set-xmark).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'conntrack.8')
| -rw-r--r-- | conntrack.8 | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/conntrack.8 b/conntrack.8 index 0565907..6525123 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -135,8 +135,12 @@ This option is only required in conjunction with "-L, --dump". If this option is .BI "-t, --timeout " "TIMEOUT" Specify the timeout. .TP -.BI "-m, --mark " "MARK" -Specify the conntrack mark. +.BI "-m, --mark " "MARK[/MASK]" +Specify the conntrack mark. Optionally, a mask value can be specified. +In "--update" mode, this mask specifies the bits that should be zeroed before XORing +the MARK value into the ctmark. +Otherwise, the mask is logically ANDed with the existing mark before the comparision. +In "--create" mode, the mask is ignored. .TP .BI "-c, --secmark " "SECMARK" Specify the conntrack selinux security mark. |