Shorewall users - May 2007 - mark_part="-m mark --mark 0/0xFF00"?

I have been looking over my mangle rules and saw something that I
thought was strange:

Chain PREROUTING (policy ACCEPT 8408K packets, 4376M bytes)
 pkts bytes target     prot opt in     out     source               destination
6442K 4136M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
CONNMARK match !0x0/0xff CONNMARK restore mask 0xff
 417K   60M routemark  all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xff
 105K   17M routemark  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xff
96522   15M man1918    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0   
state NEW
 254K   27M man1918    all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0   
state NEW
3753K 3098M tcpre      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
 182K   33M tcpre      all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
8408K 4376M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xff00

I have not really used packet marking outside of shorewall so this might
just be a dumb question, but with "HIGH_ROUTE_MARKS=No" why the 0xff00
mask in that last rule:

8408K 4376M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xff00

ignoring the 0xff from the high order byte, does a match of 0x0/0x00
make any sense?  Should that match really be 0x0/0xff?

The origin of that 0xFF00 seems to be in compiler at:

    if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ];
then
	mark_part="-m mark --mark 0/0xFF00"

at line 958 in 3.4.2.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> I have been looking over my mangle rules and saw something that I
> thought was strange:
> 
> Chain PREROUTING (policy ACCEPT 8408K packets, 4376M bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 6442K 4136M CONNMARK   all  --  *      *       0.0.0.0/0           
0.0.0.0/0           CONNMARK match !0x0/0xff CONNMARK restore mask 0xff
>  417K   60M routemark  all  --  vlan2  *       0.0.0.0/0           
0.0.0.0/0           MARK match 0x0/0xff
>  105K   17M routemark  all  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           MARK match 0x0/0xff
> 96522   15M man1918    all  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           state NEW
>  254K   27M man1918    all  --  vlan2  *       0.0.0.0/0           
0.0.0.0/0           state NEW
> 3753K 3098M tcpre      all  --  vlan2  *       0.0.0.0/0           
0.0.0.0/0
>  182K   33M tcpre      all  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
> 8408K 4376M tcpre      all  --  *      *       0.0.0.0/0           
0.0.0.0/0           MARK match 0x0/0xff00
> 
> I have not really used packet marking outside of shorewall so this might
> just be a dumb question, but with "HIGH_ROUTE_MARKS=No" why the
0xff00
> mask in that last rule:
> 
> 8408K 4376M tcpre      all  --  *      *       0.0.0.0/0           
0.0.0.0/0           MARK match 0x0/0xff00
> 
> ignoring the 0xff from the high order byte, does a match of 0x0/0x00
> make any sense?  Should that match really be 0x0/0xff?
The mask determines the bits tested, not the bits ignored.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Fri, 2007-05-18 at 10:29 -0700, Tom Eastep wrote:
> 
> The mask determines the bits tested, not the bits ignored.
Right.  It''s a bitwise AND right?  So 0x0/0xFF00 tests the left-most 8
bits of a 16 bit number for being 0 yes?  But if I don''t have
high-marks
enabled (HIGH_ROUTE_MARKS=No) what is the point of this rule?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> On Fri, 2007-05-18 at 10:29 -0700, Tom Eastep wrote:
>> The mask determines the bits tested, not the bits ignored.
> 
> Right.  It''s a bitwise AND right?  So 0x0/0xFF00 tests the
left-most 8
> bits of a 16 bit number for being 0 yes?  But if I don''t have
high-marks
> enabled (HIGH_ROUTE_MARKS=No) what is the point of this rule?
It''s a bug.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Brian J. Murrell wrote:
>> On Fri, 2007-05-18 at 10:29 -0700, Tom Eastep wrote:
>>> The mask determines the bits tested, not the bits ignored.
>> Right.  It''s a bitwise AND right?  So 0x0/0xFF00 tests the
left-most 8
>> bits of a 16 bit number for being 0 yes?  But if I don''t have
high-marks
>> enabled (HIGH_ROUTE_MARKS=No) what is the point of this rule?
> 
> It''s a bug.
This should fix it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Fri, 2007-05-18 at 10:59 -0700, Tom Eastep wrote:
> Tom Eastep wrote:
> > Brian J. Murrell wrote:
> >> On Fri, 2007-05-18 at 10:29 -0700, Tom Eastep wrote:
> >>> The mask determines the bits tested, not the bits ignored.
> >> Right.  It''s a bitwise AND right?  So 0x0/0xFF00 tests
the left-most 8
> >> bits of a 16 bit number for being 0 yes?  But if I don''t
have high-marks
> >> enabled (HIGH_ROUTE_MARKS=No) what is the point of this rule?
> > 
> > It''s a bug.
> 
> This should fix it.
Ahhh.  Sweet.  Now that makes me not need to scratch my head wondering
what I''m not understanding.

Thanx Tom!

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/