Re: tc nexthdr

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Christian,

Although the u32 filter is quite powerful it has a few limitations. I would not recommend matching VOIP which can use RTP, SIP, H323 etc. 
The issue you might be facing, in attempting to identify RTP, might be due to the first 2 payload bytes of an RTP packet typically begin with 0x8$$$ or 0x9$$$ ( where $ can be any hex value). This can erroneously also match DNS or other UDP traffic. It can be done if you also specify the packet length inorder to exclude DNS but  I would recommend going with a packet inspection library like nDPI (kernel module + iptables + tc filter fw).

Cheers,

Remy

Sent from my Phone

> On 10 Apr 2014, at 10:57, Christian Rößner <cr@xxxxxxx> wrote:
> 
> Hi,
> 
> this is my first post to this list.
> 
> I try to match several RTPv2 codecs with tc u32 and I ended up with the following:
> 
> tc filter add dev mydevice protocol ip parent 1:0 pref 3 u32 \
>    match ip protocol 0x11 0xFF \
>    match u16 0x8008 0xC07F at 28 \
>    flowid 1:110
> 
> So far this works. It means (at least I hope so):
> 
> - match UDP,
> - match the first two bytes in the UDP payload, which are part of the RTP header
>  - first two bits say „version 2“ RTP
>  - last 7 bits encode the codec. In this example G.711 PCMA
> 
> So now this code is just working for IPv4. And I would like to have a more generic one using nexthdr. So I tried:
> 
> tc filter add dev mydevice protocol ip parent 1:0 pref 3 u32 \
>    match ip protocol 0x11 0xFF \
>    match u16 0x8008 0xC07F at nexthdr+4 \
>    flowid 1:110
> 
> Problem with this is that it matches packets, but when doing a test call with VoIP I can see that it does not match RTP traffic but some wrong traffic. So I guess my „nexthdr+4“ is wrong. I thought that the nexthdr depends on the selector u16 and therefor needs to be 4. 4*16=64, which should be 8 bytes offset to UDP, which is the beginning of the payload, isn’t it?
> 
> Can someone help me fixing this rule? Thanks in advance
> 
> Kind regards
> 
> -Christian Rößner
> 
> --
> [*] sys4 AG
> 
> http://sys4.de, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
> 
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
> 
> --
> To unsubscribe from this list: send the line "unsubscribe lartc" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux