[LARTC] U32 dport filter problem

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

while testing HTB, I've found a problem with the U32 dport flag.
I'm not able to send traffic via the U32 dport filter with the rules
from the HTB manual while the same rules generated by the htb.init
script works fine. 
The only difference I can see is that with the rules from the htb manual
the show filter report
match 00000050/0000ffff at nexthdr+0
                                ^^^^
while with the htb.init rules the show filter report  
match 00000050/0000ffff at 20
                        ^^^^^
Is this the problem ? 
How should I write the filter to be able to work with the dport flag ?

Thanks 

Some more info:

This is my HTB script (from the HTB manual)

tc qdisc del dev ipsec0 root
tc qdisc add dev ipsec0 root handle 1: htb default 12
tc class add dev ipsec0 parent 1: classid 1:1 htb rate 100kbps ceil
100kbps burst 2k
tc class add dev ipsec0 parent 1:1 classid 1:10 htb rate 30kbps ceil
100kbps burst 2k
tc class add dev ipsec0 parent 1:1 classid 1:11 htb rate 10kbps ceil
100kbps burst 2k
tc class add dev ipsec0 parent 1:1 classid 1:12 htb rate 60kbps ceil
100kbps burst 2k

tc filter add dev ipsec0 protocol ip parent 1:0 prio 100 u32 match ip
src 192.168.111.2 match tcp dst 80 0xffff flowid 1:10
tc filter add dev ipsec0 protocol ip parent 1:0 prio 100 u32 match ip
src 192.168.111.2 flowid 1:11

I'm not able to send traffic via the http filter 1:10; all the traffic
from 192.168.111.2 to http goes to the generic filter 1:11 

I did some test with the htb.init script. This is the script compiled by
htb.init (different speeds ..)
With this script the U32 dport filter works fine.

tc qdisc del dev ipsec0 root
tc qdisc add dev ipsec0 root handle 1 htb default 30
tc class add dev ipsec0 parent 1: classid 1:2 htb rate 100kb
tc class add dev ipsec0 parent 1:2 classid 1:10 htb rate 40kbit \
ceil 100kbit burst 15k
tc qdisc add dev ipsec0 parent 1:10 handle 10 sfq perturb 10 
tc filter add dev ipsec0 parent 1:0 protocol ip prio 100 u32 match ip
src 192.168.111.2 match ip dport 80 0xffff classid 1:10
tc class add dev ipsec0 parent 1:2 classid 1:20 htb rate 10kbit \
ceil 100kbit burst 15k
tc qdisc add dev ipsec0 parent 1:20 handle 20 sfq perturb 10 
tc filter add dev ipsec0 parent 1:0 protocol ip prio 100 u32 match ip \
src 192.168.111.2 classid 1:20
tc class add dev ipsec0 parent 1:2 classid 1:30 htb rate 60Kbit \
ceil 100Kbit burst 15k
tc qdisc add dev ipsec0 parent 1:30 handle 30 sfq perturb 10


This is the lists with the first set of rules in place:

### ipsec0: queueing disciplines

qdisc htb 1: r2q 10 default 12 dcache 0
 deq_util 1/1000000 deq_rate 0 trials_per_deq 0
 dcache_hits 0 direct_packets 0

### ipsec0: traffic classes

class htb 1:11 parent 1:1 prio 0 rate 80Kbit ceil 800Kbit burst 2Kb
cburst 2623b 
class htb 1:1 root prio 0 rate 800Kbit ceil 800Kbit burst 2Kb cburst
2623b 
class htb 1:10 parent 1:1 prio 0 rate 240Kbit ceil 800Kbit burst 2Kb
cburst 2623b 
class htb 1:12 parent 1:1 prio 0 rate 480Kbit ceil 800Kbit burst 2Kb
cburst 2623b 

### ipsec0: filtering rules

filter parent 1: protocol ip pref 100 u32 
filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1 
filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:10 
  match c0a86f02/ffffffff at 12
  match 00000050/0000ffff at nexthdr+0
filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht
800 bkt 0 flowid 1:11 
  match c0a86f02/ffffffff at 12


And this is the lists with the htb.init generated rules:

### ipsec0: queueing disciplines

qdisc sfq 30: quantum 16274b perturb 10sec 
qdisc sfq 20: quantum 16274b perturb 10sec 
qdisc sfq 10: quantum 16274b perturb 10sec 
qdisc htb 1: r2q 10 default 30 dcache 0
 deq_util 1/1000000 deq_rate 0 trials_per_deq 0
 dcache_hits 0 direct_packets 0

### ipsec0: traffic classes

class htb 1:10 root leaf 10: prio 0 rate 40Kbit ceil 100Kbit burst 15Kb
cburst 1727b 
class htb 1:20 root leaf 20: prio 0 rate 10Kbit ceil 100Kbit burst 15Kb
cburst 1727b 
class htb 1:30 root leaf 30: prio 0 rate 60Kbit ceil 100Kbit burst 15Kb
cburst 1727b 

### ipsec0: filtering rules

filter parent 1: protocol ip pref 100 u32 
filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1 
filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:10 
  match c0a86f02/ffffffff at 12
  match 00000050/0000ffff at 20
filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht
800 bkt 0 flowid 1:10 
  match c0a86f02/ffffffff at 12
  match 00000050/0000ffff at 20
filter parent 1: protocol ip pref 100 u32 fh 800::802 order 2050 key ht
800 bkt 0 flowid 1:20 
  match c0a86f02/ffffffff at 12


Many thanks in advance for any help !
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux