fwmark如何在ip规则命令中与掩码一起工作
fwmark如何在ip规则命令中与掩码一起工作
提问于 2018-04-10 15:12:34
我试着理解ip rule add fwmark是如何与mask一起工作的,
例如:ip rule命令显示以下规则: 100:从所有fwmark 0xd00/0xffff00查找6017
因此,如果有一个标记为“0xd 70”的数据包到达,它将尝试匹配ip规则中的标记,但是如何用fwmark和掩码“0xd00/0xffff00”计算“0xd 70”?
谢谢!
回答 1
Unix & Linux用户
发布于 2022-06-09 09:00:44
从fwmask或内核的发行说明中没有太多关于iproute的信息。最后,我必须从内核代码中得到fwmask's的真正含义如下,
static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops, struct flowi *fl, int flags, struct fib_lookup_arg *arg)
{
int ret = 0;
if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
goto out;
if (rule->oifindex && (rule->oifindex != fl->flowi_oif))
goto out;
if ((rule->mark ^ fl->flowi_mark) & rule->mark_mask) <<<<<<<<<<<
goto out;
if (rule->tun_id && (rule->tun_id != fl->flowi_tun_key.tun_id))
goto out;
if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))
goto out;
if (uid_lt(fl->flowi_uid, rule->uid_range.start) || uid_gt(fl->flowi_uid, rule->uid_range.end))
goto out;
ret = ops->match(rule, fl, flags);
out:
return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
}具体来说,fwmark/fwmask 0xXYZ/0xFFFFFFFF意味着只有标记本身才能匹配规则。
int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack)
{
struct net *net = sock_net(skb->sk);
struct fib_rule_hdr *frh = nlmsg_data(nlh);
...
if (tb[FRA_FWMARK]) {
rule->mark = nla_get_u32(tb[FRA_FWMARK]);
if (rule->mark)
/* compatibility: if the mark value is non-zero all bits
* are compared unless a mask is explicitly specified.
*/
rule->mark_mask = 0xFFFFFFFF; <<<<<<<<<<<
}页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/436799
复制相关文章
相似问题
腾讯云开发者
