[LARTC] Is It Possible To Explicitly Drop A Non-IP Packet?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some of you may remember that back in January I enquired about the possibility of matching non-IP packets in general and IPX packets in particular.

Due to a shortage of resources I've only recently been able to my goal of a combined bridge/IPX traffic shaper, the results of which I hope to be able to share in the next few weeks. or so

In the meantime, I've a problem trying to explicitly drop unwanted IPX packets.

Background

What I'm trying to achieve is a filter broadly similar the following iptables example, in which unmatched packets are discarded.

iptables -t mangle -A somechain  -s some-addr -j ACCEPT
...
iptables -t mangle -A somechain  -s some-other-addr -j ACCEPT
iptables -t mangle -A somechain -j DROP

Thanks mostly to Martin Brown's response to my previous question, I have written the u32 filters to do the equivalent of "-s some-addr -j ACCEPT" for the IPX packets but I'm stuck on the equivalent for "-j DROP".

I'm using prio as the root qdisc, with a pfifo attached to the first class, 1:1, htb attached to the second class, 1:2, and the third class, 1:3, is the one I've been using to experiment with.

The filter attached to the root, prio, qdisc directs all non-IPX traffic to the pfifo attached to 1:1 and all matching IPX traffic to 1:2.

Problem

My first attempt to drop the remaining packets was to make the last entry in the filter

tc filter ... u32 match u16 0x8137 0xffff at -2 police drop flowid 1:3

which tc -s filter ls dev eth0 shows as

...
filter parent 1: protocol ip ...
police 3 action drop rate 0bps burst 0b mtu 4096Mb
 match 00008137/0000ffff at -4

This had no effect, with the unwanted IPX traffic still being passed.

My second attempt was to remove the "police drop" from the above filter spec. and add a zero length pfifo to the third class, 1:3 as follows

tc qdisc add dev eth0 parent 1:3 handle 30: pfifo limit 0

which tc -s qdisc ls dev eth0 shows as

...
qdisc pfifo 30: limit 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

Again this has no effect, all the unwanted IPX traffic passes via pfifo 30:.

Any ideas?

Griff.



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux