关于"-set-xmark"的一些问题是关于"-xmark"的一些问题.在iptables中 [英] Some questions about "-set-xmark" in iptables

问题描述

我有如下规则:

-A PREROUTING -d 10.228.20.15/32 -p tcp -m tcp --dport 80--tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x70/0xffffffff

手册文档对--set-xmark的解释如下:

The man doc explains --set-xmark as below:

将掩码和XOR值给定的位归零到ctmark中.

英语不是我的母语.任何人都可以帮助解释将ctmark设置为什么值? 归零意味着什么?举个例子，将不胜感激.

English is not my native language. Could anyone help to explain what value would be set into ctmark? What zero out means? Take a example would be appreciated.

推荐答案

因此语法为--set-xmark value/mask.结果操作为:

So the syntax is --set-xmark value/mask. The resulting operation is:

ctmark = (ctmark AND NOT mask) XOR value

零输出对应于(ctmark AND NOT mask):如果设置了mask中的某个位，则ctmark中的相应位将为零(在XOR之前).

Zero-out corresponds to (ctmark AND NOT mask): if a bit in mask is set, then the corresponding bit in ctmark will be zero (before the XOR).

该手册页还指出:

--and-mark bits
    Binary AND the  ctmark  with  bits.  (Mnemonic  for  --set-xmark
    0/invbits, where invbits is the binary negation of bits.)

--or-mark bits
    Binary  OR  the  ctmark  with  bits.  (Mnemonic  for --set-xmark
    bits/bits.)

--xor-mark bits
    Binary XOR the  ctmark  with  bits.  (Mnemonic  for  --set-xmark
    bits/0.)

您可以根据这些定义验证上面的操作:

You can validate the operation above against those definitions:

--and-mark bits == --set-xmark 0/invbits
     ctmark AND bits = (ctmark AND NOT invbits) XOR 0
     -> bits = NOT invbits
     -> anything XOR 0 = anything
     so: ctmark AND bits = ctmark AND NOT NOT bits = ctmark AND bits

--or-mark bits == --set-mark bits/bits
     ctmark OR bits = (ctmark AND NOT bits) XOR bits
     -> should be obvious based on boolean logic

--xor-mark bits == -set-mark bits/0
     ctmark XOR bits = (ctmark AND NOT 0) XOR bits
     -> anything AND NOT 0 = anything

这篇关于关于"-set-xmark"的一些问题是关于"-xmark"的一些问题.在iptables中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！