Re: tc filter (flower and u32) on physical interface for both tagged and untagged traffic does not work

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Adam,

sure. With this filter I match UDP traffic from fd00:0:0:41::11.50000 to fd00:0:0:41::10.60000. tc-u32 offers a nicer way to specify this but for some reason the u32 "udp src" and "udp dst" matches do not work in my setup.

My initial goal was to use this filter

tc filter add dev $IF protocol all parent 1:0 prio 1 u32 match ip6 src ${IP_SRC}/128 match ip6 dst ${IP_DST}/128 match ip6 protocol 17 0xff match udp src 50000 0xffff match udp dst 60000 0xffff classid 1:4 action pass

but, as mentioned, the udp src/dst matches at nexthdr+0 are never hit (success 0 ):

tc -s filter ls dev enp0s31f6
~~~~
filter parent 1: protocol all pref 1 u32 chain 0
filter parent 1: protocol all pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:4 not_in_hw (rule hit 1 success 0)
  match fd000000/ffffffff at 8 (success 1 )
  match 00000041/ffffffff at 12 (success 1 )
  match 00000000/ffffffff at 16 (success 1 )
  match 00000011/ffffffff at 20 (success 1 )
  match fd000000/ffffffff at 24 (success 1 )
  match 00000041/ffffffff at 28 (success 1 )
  match 00000000/ffffffff at 32 (success 1 )
  match 00000010/ffffffff at 36 (success 1 )
  match 00001100/0000ff00 at 4 (success 1 )
  match c350ea60/ffffffff at nexthdr+0 (success 0 )
        action order 1: gact action pass
         random type none pass val 0
         index 1 ref 1 bind 1 installed 0 sec used 0 sec
        Action statistics:
        Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
        backlog 0b 0p requeues 0
~~~~


The u32 filter you asked about is basically just the plain u32 version of what the filter above (in my opinion) should have done. And it works, i.e. it matches 350ea60/ffffffff at 40.

tc -s filter ls dev enp0s31f6
~~~~
filter parent 1: protocol all pref 1 u32 chain 0
filter parent 1: protocol all pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:4 not_in_hw (rule hit 2 success 1)
  match 00001100/0000ff00 at 4 (success 1 )
  match fd000000/ffffffff at 8 (success 1 )
  match 00000041/ffffffff at 12 (success 1 )
  match 00000000/ffffffff at 16 (success 1 )
  match 00000011/ffffffff at 20 (success 1 )
  match fd000000/ffffffff at 24 (success 1 )
  match 00000041/ffffffff at 28 (success 1 )
  match 00000000/ffffffff at 32 (success 1 )
  match 00000010/ffffffff at 36 (success 1 )
  match c350ea60/ffffffff at 40 (success 1 )
        action order 1: gact action pass
         random type none pass val 0
         index 1 ref 1 bind 1 installed 0 sec
        Action statistics:
        Sent 162 bytes 1 pkt (dropped 0, overlimits 0 requeues 0)
        backlog 0b 0p requeues 0
~~~~

You could also use

tc filter add dev $IF protocol all parent 1:0 prio 1 u32 match ip6 src ${IP_SRC}/128 match ip6 dst ${IP_DST}/128 match ip6 protocol 17 0xff match u32 0xc350ea60 0xffffffff at 40 classid 1:4 action pass

to achieve the same result, i.e. convert udp src/dst to their plain u32 notation and match at 40 instead of at nexthdr+40.


Best regards,
Daniel




On 08/05/18 11:10, Adam Nieścierowicz wrote:
I ask out of curiosity,  Can you explain what you intend to achieve with the following rules?


W dniu 04.08.2018 o 16:39, Daniel Thiele pisze:
c filter add dev $IF protocol all parent 1:0 prio 1 \
        u32 \
        match u32 0x00001100 0x0000ff00 at 4 \
        match u32 0xfd000000 0xffffffff at 8 \
        match u32 0x00000041 0xffffffff at 12 \
        match u32 0x00000000 0xffffffff at 16 \
        match u32 0x00000011 0xffffffff at 20 \
        match u32 0xfd000000 0xffffffff at 24 \
        match u32 0x00000041 0xffffffff at 28 \
        match u32 0x00000000 0xffffffff at 32 \
        match u32 0x00000010 0xffffffff at 36 \
        match u32 0xc350ea60 0xffffffff at 40 \
        classid 1:4 action pass
~~~~

--
---
Pozdrawiam
Adam Nieścierowicz

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux