我的规则如下:
-A PREROUTING -d 10.228.20.15/32 -p tcp -m tcp --dport 80--tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x70/0xffffffff
该man doc解释--set-xmark如下:
将掩码和XOR值给出的位清零到ctmark。
英语不是我的母语。任何人都可以帮助解释将什么值设置为ctmark? 零出是什么意思?举一个例子将不胜感激。
答案 0 :(得分:8)
所以语法是--set-xmark value/mask。结果操作是:
ctmark = (ctmark AND NOT mask) XOR value
归零对应于(ctmark AND NOT mask):如果mask中的某个位置位,则ctmark中的相应位将为零(在异或之前)。
该手册页还指出:
--and-mark bits
Binary AND the ctmark with bits. (Mnemonic for --set-xmark
0/invbits, where invbits is the binary negation of bits.)
--or-mark bits
Binary OR the ctmark with bits. (Mnemonic for --set-xmark
bits/bits.)
--xor-mark bits
Binary XOR the ctmark with bits. (Mnemonic for --set-xmark
bits/0.)
您可以根据这些定义验证上述操作:
--and-mark bits == --set-xmark 0/invbits
ctmark AND bits = (ctmark AND NOT invbits) XOR 0
-> bits = NOT invbits
-> anything XOR 0 = anything
so: ctmark AND bits = ctmark AND NOT NOT bits = ctmark AND bits
--or-mark bits == --set-mark bits/bits
ctmark OR bits = (ctmark AND NOT bits) XOR bits
-> should be obvious based on boolean logic
--xor-mark bits == -set-mark bits/0
ctmark XOR bits = (ctmark AND NOT 0) XOR bits
-> anything AND NOT 0 = anything