Marco Gaiarin wrote:
Mandi! John A. Sullivan III
In chel di` si favelave...
tc filters can be quite daunting but a quick search on "tc u32 filter"
showed:
http://b42.cz/notes/u32_classifier/
Bingo! a good starting point/reference.
I'm really astonished that there's no a real documentation for u32...
There's always www.lartc.org for normal usage.
FWIW the above link seems to have errors in the hashing section -
The mask is inverted and ht, handle, flowid are actually hex which
doesn't usually matter for flowid, but when hashing for ht and
flowid/classid you have to convert to hex.
I hope that's enough to get you going. Good luck - John
I've tried:
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 1 u32 match ip protocol 17 0xff match ip dport 22001 0xffff flowid 1:10
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 1 u32 match ip protocol 17 0xff match ip dport 22027 0xffff flowid 1:10
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 2 u32 match ip protocol 17 0xff match ip sport 22005 0xffff flowid 1:10
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 2 u32 match ip protocol 6 0xff match ip sport 22 0xffff flowid 1:20
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 2 u32 match ip protocol 6 0xff match ip dport 22 0xffff flowid 1:20
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip sport 80 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip dport 80 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip sport 443 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip dport 443 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip sport 53 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip dport 53 0xffff flowid 1:30
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 4 u32 match ip protocol 6 0xff match ip sport 25 0xffff flowid 1:40
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 4 u32 match ip protocol 6 0xff match ip dport 25 0xffff flowid 1:40
/sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 5 u32 match ip dst 0.0.0.0/0 flowid 1:50
but match are rather than optimal, seems to me that match on UDP
protocols works on TCP not.
Anyway, most of the traffic goes to last, catch-all class.
You are matching udp for web, match tcp and I guess less will end up in
catch all.
I've to read carefully out link, but for now really i don't understood
this ''warning'':
ip sport<VALUE> <MASK>
Matches the 16 bit source port in a TCP or UDP IPv4 packet.
This only works if the ip header contains no options. Use the
"link" and "match tcp src" or "match udp src" options if you
can not be sure of that.
Somenone can explain me?
It's possible, but AFAIK rare, that the ip header length may be greater
than 20, which will mess up normal matching - but I think most people
just use normal and don't bother doing it this way.
to test the filters seems to me that the only way is
redirecting traffic on a ifb interface, and looking with tcpdump what
flow. There's better strategies?
tc -s filter ls dev ifb0
will show counters.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
