Hi Leigh,
>Hi All,
>I need to do some tricky filtering stuff. Can anyone tell me if any of
>the following are possible?
>
>* match on a combination of firewall mark AND u32 criteria. ie. handle
>6 fw AND u32 match ip src 1.2.3.4/32 - to match packets from 1.2.3.4
>which have been marked elsewhere
you can do that in a couple (at least) of different ways.
1) Using netfilter custom chains.
All the conditions you can express with the U32 classifier can
be expressed with iptables too.
U32 allows you to use hash tables and speed up the classification
in certain contexts, but if you are not using U32 hash tables you
can replace any U32 match with an iptables mark/command.
To some extent, you can define a combination of conditions using
iptables custom chains:
you create a chain and insert into the latter the iptables
command that test your conditions.
iptables allows you to use the ! (i.e. NOT) operator.
This solutions however does not scale, and, depending on what
configuration you need to enforce, it may not work always.
This is not the solution I would suggest to use, especially if
your need to define many filters.
2) Using the (relatively) new Basic classifier.
More details below.
>OR
>
>* to OR the values of u32 matches. Something like u32 match ip src
>1.2.3.4/32 OR match ip dst 1.2.3.4/32 - to match packets going to or
>from 1.2.3.4
U32 does not allow you to explicitly OR different matches.
However, you can organize your filters using U32 hash tables
in a way such that on a given bucket you insert only those
match conditions that must be ORed:
After all, a list of matches is nothing but a list of ORed
conditions: the first one that matches is used.
This solution may not scale and may not be usable in all
scenarios (it depends a lot on the config you need to enforce).
>
>OR
>
>* to use a mask on firewall marks as per iptables/ebtables MARK
matches.
You can do that with the Basic classifier.
(I believe there is also a patch around that adds this
functionality to the fw classifier).
The Basic classifier allows you to define conditions such as
match <condition1> AND (NOT (<conditions2> OR <condition3>)
Here are a couple of examples for the conditions above
(see my note at the end of the email):
# match ip src 1.2.3.4/32 OR match ip dst 1.2.3.4/32
tc filter add dev eth2 parent 1:0 prio 5 protocol ip \
basic match \
u32\(u32 0x01020304 0xFFFFFFFF at 12\) OR \
u32\(u32 0x01020304 0xFFFFFFFF at 16\) \
flowid 1:11
# match anything NOT from 1.2.3.0/24
tc filter add dev eth2 parent 1:0 prio 5 protocol ip \
basic match \
NOT u32\(u32 0x01020300 0xFFFFFF00 at 12\) \
flowid 1:13
# Example of mask on firewall marks
# This filter matches with those pkts whose firewall
# mark has the value 1 set in the least significant 4 bits
# (you can use 0xF instead of 0x0000000F if you prefer)
tc filter add dev eth2 parent 1:0 prio 5 protocol ip \
basic match \
meta\(nf_mark mask 0x0000000F eq 1\) \
flowid 1:12
For more detail on the Basic classifier, see these kernel
configuration options:
Networking
+->Networking options
+->QoS and/or fair queueing
+->Elementary classification (BASIC)
+->Extended Matches
Note that the Basic classifier and the extended matches are not as
mature and stable as the rest of the Traffic Control code yet.
(I have fixed a few bugs both in IPROUTE2 and in the kernel; next
week I am going to send the patches to the current maintainer.
I can post the patches here too if there is anyone interested)
Regards.
/Christian
[http://benve.info]
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
