Mandi! John A. Sullivan III In chel di` si favelave... Ok, i'm ready, some comments on u32 script for ingress. First, reference to the author: > # tcfilters > # Version 0: February 22, 2012; John A. Sullivan III I've read your script and also http://b42.cz/notes/u32_classifier/, that still seems the only decent reference to u32. I've supposed that you use the same ifb interface for many real interfaces, so i think ${IH} it is only an integer to keep things more readable. Seems a max 2-digit integer are needed. Go forward. 1) create three filter lists, with handles (''number'') ${IH}6:, ${IH}7:, ${IH}8: ; because we don't need heavy matching on src or dst addresses, we create lists with a (minimal) 1 buckets per list, so will not use hashing (hadles a:b:c will have b=0). > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 2 handle ${IH}6: u32 divisor 1 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 2 handle ${IH}7: u32 divisor 1 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 3 handle ${IH}8: u32 divisor 1 2) add filter on the ''main'' list: Directly match 'netkey' protocol and classify on ${IH}:50 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 1 u32 match ip protocol 50 0xff flowid ${IH}:50 Match TCP first, then udp; you say: ''We must sort TCP from UDP first because tcp and udp u32 matches are identical unless the protocol is specified; sorting first allows for simpler rules later'' If match, go respectively to filter list ${IH}6: and ${IH}7: I think that 'offset at 0 mask 0x0f00 shift 6 plus 0' compute header lenght, and so permit subsequent match also if the 'options' filed are set. > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 2 u32 match ip protocol 6 0xff link ${IH}6: offset at 0 mask 0x0f00 shift 6 plus 0 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 2 u32 match ip protocol 17 0xff link ${IH}7: offset at 0 mask 0x0f00 shift 6 plus 0 3) on filter list ${IH}6: (TCP) > # DR backup - tos 0 0x10 means the minimize latency bit is not set; DR01 backup traffic would match interactive filters if we did not process this first > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 3 u32 ht ${IH}6:0 match ip src 192.168.124.120 match ip tos 0 0x10 match tcp dst 922 0xffff at nexthdr+2 flowid ${IH}:10 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 3 u32 ht ${IH}6:0 match ip src 192.168.124.120 match ip tos 0 0x10 match tcp src 922 0xffff at nexthdr+0 flowid ${IH}:10 > # Interactive > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match ip dst 208.46.93.8 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp dst 922 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp src 922 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp dst 1022 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp src 1022 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp dst 22 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp src 22 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp dst 3389 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp src 3389 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match tcp dst 4443 0xffff at nexthdr+2 flowid ${IH}:40 > # Send packets <64 bytes (u16 0 0xffc0 at 2) with only the ACK flag set (match u8 16 0xff at nexthdr+13) to the low latency queue > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 6 u32 ht ${IH}6:0 match u16 0 0xffc0 at 2 match u8 16 0xff at nexthdr+13 flowid ${IH}:40 > # Web > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 8 u32 ht ${IH}6:0 match tcp dst 80 0xffff at nexthdr+2 flowid ${IH}:30 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 8 u32 ht ${IH}6:0 match tcp dst 443 0xffff at nexthdr+2 flowid ${IH}:30 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 8 u32 ht ${IH}6:0 match tcp dst 8080 0xffff at nexthdr+2 flowid ${IH}:30 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 8 u32 ht ${IH}6:0 match tcp dst 8443 0xffff at nexthdr+2 flowid ${IH}:30 Mmmh... i've not clear because you use 'nexthdr+0'/src or 'nexthdr+2'/dst... using 'src' it is not the same to use 'nexthdr+0' and on the converse 'dst' 'nexthdr+2'?! 4) on filter list ${IH}7:0 (UDP) Link filter list ${IH}8: for these matches. 'u16 0 0xff00 at 2' mean 'non fragmented packets'? Or mean 'less then 256 bytes'?! > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 4 u32 ht ${IH}7:0 match ip dst 172.30.14.0/24 match u16 0 0xff00 at 2 link ${IH}8: > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 4 u32 ht ${IH}7:0 match ip dst 208.46.93.14 match u16 0 0xff00 at 2 link ${IH}8: > # Prioritized UDP traffic > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp dst 53 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp src 53 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp dst 500 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp src 500 0xffff at nexthdr+0 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp dst 4500 0xffff at nexthdr+2 flowid ${IH}:40 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 7 u32 ht ${IH}7:0 match udp src 4500 0xffff at nexthdr+0 flowid ${IH}:40 5) on filter list ${IH}8:0 (UDP, more specific) Ok, match port with higher bit set. > # VoIP - UDP packets to the VoIP network under 256 Bytes over port 1024 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 5 u32 ht ${IH}8:0 match udp dst 32768 0x8000 at nexthdr+2 flowid ${IH}:20 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 5 u32 ht ${IH}8:0 match udp dst 16384 0x4000 at nexthdr+2 flowid ${IH}:20 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 5 u32 ht ${IH}8:0 match udp dst 8192 0x2000 at nexthdr+2 flowid ${IH}:20 > ${TC} filter ${ACTION} dev ${IIFB} parent ${IH}:0 protocol ip prio 5 u32 ht ${IH}8:0 match udp dst 4096 0x1000 at nexthdr+2 flowid ${IH}:20 Ok, after that work, i start to understand something, i think. Still many question. 1) probably i need a good IP header poster on my office wall. ;) 2) i've lost a clue on the relation on the filter priority (prio X) and the handle filter item number (A:B:C, so C). Eg, if i specify 'prio 1' and handle 'a:b:100', and next 'prio 100' and handle 'a:b:1', what execute first? 3) all the 'hashing' topic is still a mystere; but for now i don't need it... ;-) Thanks to all, of course particulary to John. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
