Mandi! Andy Furniss In chel di` si favelave... > >>http://b42.cz/notes/u32_classifier/ > >Bingo! a good starting point/reference. > There's always www.lartc.org for normal usage. > FWIW the above link seems to have errors in the hashing section - Sorry, but i've found u32 examples on lartc totally confusing, this document seems to me more ''clear''... Better that all this thread, after some cleanup, go to the wiki... > > /sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip sport 80 0xffff flowid 1:30 > > /sbin/tc filter add dev ifb1 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match ip dport 80 0xffff flowid 1:30 > You are matching udp for web, match tcp and I guess less will end up > in catch all. AARRGGHH!!! All but not a stupid copy/paste error... sorry to all... ;((( > > ip sport<VALUE> <MASK> > > Matches the 16 bit source port in a TCP or UDP IPv4 packet. > > This only works if the ip header contains no options. Use the > > "link" and "match tcp src" or "match udp src" options if you > > can not be sure of that. > >Somenone can explain me? > It's possible, but AFAIK rare, that the ip header length may be > greater than 20, which will mess up normal matching - but I think > most people just use normal and don't bother doing it this way. Ok, good to know; googling around lead me to the command: tcpdump -i eth1 'ip[0] > 69 or tcpdump -i eth1 'ip[0] & 0x0f > 5' to show if there's some packet with ip options set. Seems to me no, and my new correct match seems to work very well: 166462 total hit, in catchall class 5 are 1553, roughly less then 1%, good. My new setup are in test by some hours; really i've not tested ad all, but users does not complain. ;) Another question. my previous setup are rougly copied from: http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2241 and so for ingress i used to do: $TC filter add dev $IFACE parent ffff: protocol ip prio 50 \ u32 match ip src 0.0.0.0/0 \ police rate ${BI}kbit burst ${BURST}k drop flowid :1 now i do: tc filter add dev eth1 parent ffff: protocol ip prio 50 \ u32 match ip src 0.0.0.0/0 \ flowid :1 action mirred egress redirect dev ifb1 There's some way to ''combine'' these statement, eg have a ''police rate'' and after a redirect? Looking at dhe docs, seems to me yes, but i've not found the correct sintyax. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
