Commit 9bb268ed authored Jan 14, 2008 by Jan Engelhardt Committed by David S. Miller Jan 28, 2008

[NETFILTER]: xt_TOS: Change semantic of mask value



This patch changes the behavior of xt_TOS v1 so that the mask value
the user supplies means "zero out these bits" rather than "keep these
bits". This is more easy on the user, as (I would assume) people keep
more bits than zeroing, so, an example:

	Action:     Set bit 0x01.
    	before (&): iptables -j TOS --set-tos 0x01/0xFE
    	after (&~): iptables -j TOS --set-tos 0x01/0x01

This is not too "tragic" with xt_TOS, but where larger fields are used
(e.g. proposed xt_MARK v2), `--set-xmar 0x01/0x01` vs. `--set-xmark
0x01/0xFFFFFFFE` really makes a difference. Other target(!) modules,
such as xt_TPROXY also use &~ rather than &, so let's get to a common
ground.

(Since xt_TOS has not yet left the development tree en direction to
mainline, the semantic can be changed as proposed without breaking
iptables.)

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 11fa2aa3

net/netfilter/xt_DSCP.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -128,7 +128,7 @@ tos_tg(struct sk_buff skb, const struct net_device in,
		u_int8_t orig, nv;

		orig = ipv4_get_dsfield(iph);
		nv = (orig & info->tos_mask) ^ info->tos_value;
		nv = (orig & ~info->tos_mask) ^ info->tos_value;

		if (orig != nv) {
		if (!skb_make_writable(skb, sizeof(struct iphdr)))

Admin message