Some questions about “-set-xmark” in iptables

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

Some questions about “-set-xmark” in iptables



I have a rule as following:


-A PREROUTING -d 10.228.20.15/32 -p tcp -m tcp --dport 80--tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x70/0xffffffff



The man doc explains --set-xmark as below:


--set-xmark



Zero out the bits given by mask and XOR value into the ctmark.



English is not my native language. Could anyone help to explain what value would be set into ctmark?
What zero out means? Take a example would be appreciated.




2 Answers
2



So the syntax is --set-xmark value/mask. The resulting operation is:


--set-xmark value/mask


ctmark = (ctmark AND NOT mask) XOR value



Zero-out corresponds to (ctmark AND NOT mask): if a bit in mask is set, then the corresponding bit in ctmark will be zero (before the XOR).


(ctmark AND NOT mask)


mask


ctmark



The man page also states:


--and-mark bits
Binary AND the ctmark with bits. (Mnemonic for --set-xmark
0/invbits, where invbits is the binary negation of bits.)

--or-mark bits
Binary OR the ctmark with bits. (Mnemonic for --set-xmark
bits/bits.)

--xor-mark bits
Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
bits/0.)



You can validate the operation above against those definitions:


--and-mark bits == --set-xmark 0/invbits
ctmark AND bits = (ctmark AND NOT invbits) XOR 0
-> bits = NOT invbits
-> anything XOR 0 = anything
so: ctmark AND bits = ctmark AND NOT NOT bits = ctmark AND bits

--or-mark bits == --set-mark bits/bits
ctmark OR bits = (ctmark AND NOT bits) XOR bits
-> should be obvious based on boolean logic

--xor-mark bits == -set-mark bits/0
ctmark XOR bits = (ctmark AND NOT 0) XOR bits
-> anything AND NOT 0 = anything





Thanks for your explanation. It's very helpful for me to understand.
– harlan
Feb 25 '14 at 6:20



I have questions.



For example, I wrote --set-xmark 0x1000/0xFF00, it's means 0x1000 AND 0xFF00 => 0x1000 .


--set-xmark 0x1000/0xFF00


0x1000 AND 0xFF00


0x1000



I think the value of ctmark is the current value. what if ctmark value is 0.
therefore 0x1000 XOR 0x0000 => 0x1000


0x1000 XOR 0x0000


0x1000



Summary: --set-xmark 0x1000/0xFF00 is (0x1000 AND 0xFF00) XOR 0x0000) => 0x1000


--set-xmark 0x1000/0xFF00


(0x1000 AND 0xFF00) XOR 0x0000)


0x1000



it's ok?






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Post a Comment

Popular posts from this blog

Executable numpy error

Image
Clash Royale CLAN TAG #URR8PPP Executable numpy error I'm trying to create an executable file for my code. I've already tried with cx_Freeze and with pyinstaller. Both gives me the same error, which is: "Missing required dependencies 0.format(missing_dependencies))" PS C:UsersGustavoDesktopbuildexe.win32-3.6> python AgendaOficial.py C:UsersGustavoAppDataLocalProgramsPythonPython36-32python.exe: can't open file 'AgendaOficial.py': [Errno 2] No such file or directory PS C:UsersGustavoDesktopbuildexe.win32-3.6> .AgendaOficial.exe Traceback (most recent call last): File "C:UsersGustavoAppDataLocalProgramsPythonPython36-32libsite-packagescx_Freezeinitscripts__startup__.py", line 14, in run module.run() File "C:UsersGustavoAppDataLocalProgramsPythonPython36-32libsite-packagescx_FreezeinitscriptsConsole.py", line 26, in run exec(code, m. dict ) File "AgendaOficial.py", line 8, in File "C:UsersGustavoAppDataLocal
Read more

PySpark count values by condition

Image
Clash Royale CLAN TAG #URR8PPP PySpark count values by condition I have a DataFrame, a snippet here: [['u1', 1], ['u2', 0]] basically one string ('f') and either a 1 or a 0 for second element ('is_fav'). What I need to do is grouping on the first field and counting the occurrences of 1s and 0s. I was hoping to do something like num_fav = count((col("is_fav") == 1)).alias("num_fav") num_nonfav = count((col("is_fav") == 0)).alias("num_nonfav") df.groupBy("f").agg(num_fav, num_nonfav) It does not work properly, I get in both cases the same result which amounts to the count for the items in the group, so the filter (whether it is a 1 or a 0) seems to be ignored. Does this depend on how count works? count 1 Answer 1 There is no filter here. Both col("is_fav") == 1 and col("is_fav") == 0) are just boolean expressions and count doesn't really care about their value as long a
Read more

Trying to Print Gridster Items to PDF without overlapping contents

Image
Clash Royale CLAN TAG #URR8PPP Trying to Print Gridster Items to PDF without overlapping contents I want to print gridster items to pdf using chome browser. Unfortunately the item overlaps on next page. Is there any way to make gridster item go to next page if it doesnt fit in the current page when printing to pdf? Screenshot By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Read more