conntrack: add support for mark mask

Extend --mark option to optionally take a mask, seperated by '/', e.g. --mark 0x80/0xf0. When used with -L, only test those bits of the mark that are in the mask range (behaves like iptables like -m mark). When used with -U, zero out those bits indicated by the mask and XOR the new mark into the result (behaves like iptables -j MARK --set-xmark). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2011-06-15 14:13:39 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2011-06-15 14:46:19 +0200
commit: 147ed522f52a62ab0d854ddc443d27d97dbf6cdf (patch)
tree: 4510d641535999044d1698b1adee0b61b878b75a /conntrack.8
parent: 590f85ac03c4a2f5e7228e3c757b37fd792eb56a (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/conntrack.8 b/conntrack.8
index 0565907..6525123 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -135,8 +135,12 @@ This option is only required in conjunction with "-L, --dump". If this option is
 .BI "-t, --timeout " "TIMEOUT"
 Specify the timeout.
 .TP
-.BI "-m, --mark " "MARK"
-Specify the conntrack mark.
+.BI "-m, --mark " "MARK[/MASK]"
+Specify the conntrack mark.  Optionally, a mask value can be specified.
+In "--update" mode, this mask specifies the bits that should be zeroed before XORing
+the MARK value into the ctmark.
+Otherwise, the mask is logically ANDed with the existing mark before the comparision.
+In "--create" mode, the mask is ignored.
 .TP
 .BI "-c, --secmark " "SECMARK"
 Specify the conntrack selinux security mark.
author	Florian Westphal <fw@strlen.de>	2011-06-15 14:13:39 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2011-06-15 14:46:19 +0200
commit	147ed522f52a62ab0d854ddc443d27d97dbf6cdf (patch)
tree	4510d641535999044d1698b1adee0b61b878b75a /conntrack.8
parent	590f85ac03c4a2f5e7228e3c757b37fd792eb56a (diff)