tc filter with IPv6 and firewall marks

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I've been trying to write a tc filter to classify ipv6 traffic based on firewall marks.  However, I've discovered that what works well for IPv4 does not work at all for IPv6.  Has anyone else been able to get tc filter working for IPv6 firewall marks?  Below is a script that illustrates what I'm trying to do, and how I'm testing it.  Ideas, and your experiences greatly appreciated.

Thanks,
Russell

#!/bin/bash

dev=enp0s25

# clean start
iptables -t mangle -F
ip6tables -t mangle -F
tc qdisc del dev ${dev} root

# packet marking
iptables  -t mangle -I POSTROUTING -d 255.255.255.255 -j MARK --set-mark 1
ip6tables -t mangle -I POSTROUTING -d fe80::1/64 -j MARK --set-mark 1

# qdisc setup and filtering
tc qdisc add dev ${dev} root handle 9: htb default 2
tc class add dev ${dev} parent 9: classid 9:1 htb rate 10Mbit
tc class add dev ${dev} parent 9: classid 9:2 htb rate 10Mbit

tc filter add dev ${dev} protocol all pref 1 handle 1 fw flowid 9:1

# watch results with:
#     watch tc -s class show dev ${dev}
#     watch iptables -L -v -n -t mangle
#     watch ip6tables -L -v -n -t mangle

# stimulate with:
#     ping -b 255.255.255.255 -I ${dev}
#     ping6 fe80::1%${dev}

# Observations:
# IPv4 is correctly placed in classid 9:1
# IPv6 is incorrectly placed in 9:2 !!! It should have been placed in 9:1
# The following command shows the IPv6 packets are correctly marked:
#     ip6tables -L -v -n -t mangle

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux