From 6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 Mon Sep 17 00:00:00 2001 From: Anton Danilov Date: Tue, 2 Sep 2014 14:15:53 +0400 Subject: xtables: SET target: Add mapping of meta informations (skbinfo ipset extension) This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov Signed-off-by: Jozsef Kadlecsik --- extensions/libxt_SET.man | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'extensions/libxt_SET.man') diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man index c35ba93d..78a9ae0f 100644 --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -6,6 +6,10 @@ add the address(es)/port(s) of the packet to the set .TP \fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] delete the address(es)/port(s) of the packet from the set +.TP +\fB\-\-map\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] +[\-\-map\-mark] [\-\-map\-prio] [\-\-map\-queue] +map packet properties (firewall mark, tc priority, hardware queue) .IP where \fIflag\fP(s) are .BR "src" @@ -20,6 +24,23 @@ one from the set definition \fB\-\-exist\fP when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition +.TP +\fB\-\-map\-set\fP \fIset\-name\fP +the set-name should be created with --skbinfo option +\fB\-\-map\-mark\fP +map firewall mark to packet by lookup of value in the set +\fB\-\-map\-prio\fP +map traffic control priority to packet by lookup of value in the set +\fB\-\-map\-queue\fP +map hardware NIC queue to packet by lookup of value in the set +.IP +The +\fB\-\-map\-set\fP +option can be used from the mangle table only. The +\fB\-\-map\-prio\fP +and +\fB\-\-map\-queue\fP +flags can be used in the OUTPUT, FORWARD and POSTROUTING chains. .PP Use of -j SET requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39. -- cgit v1.2.3