Hi Adam,
sure. With this filter I match UDP traffic from fd00:0:0:41::11.50000 to
fd00:0:0:41::10.60000. tc-u32 offers a nicer way to specify this but for
some reason the u32 "udp src" and "udp dst" matches do not work in my setup.
My initial goal was to use this filter
tc filter add dev $IF protocol all parent 1:0 prio 1 u32 match ip6 src
${IP_SRC}/128 match ip6 dst ${IP_DST}/128 match ip6 protocol 17 0xff
match udp src 50000 0xffff match udp dst 60000 0xffff classid 1:4 action
pass
but, as mentioned, the udp src/dst matches at nexthdr+0 are never hit
(success 0 ):
tc -s filter ls dev enp0s31f6
~~~~
filter parent 1: protocol all pref 1 u32 chain 0
filter parent 1: protocol all pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 chain 0 fh 800::800 order 2048
key ht 800 bkt 0 flowid 1:4 not_in_hw (rule hit 1 success 0)
match fd000000/ffffffff at 8 (success 1 )
match 00000041/ffffffff at 12 (success 1 )
match 00000000/ffffffff at 16 (success 1 )
match 00000011/ffffffff at 20 (success 1 )
match fd000000/ffffffff at 24 (success 1 )
match 00000041/ffffffff at 28 (success 1 )
match 00000000/ffffffff at 32 (success 1 )
match 00000010/ffffffff at 36 (success 1 )
match 00001100/0000ff00 at 4 (success 1 )
match c350ea60/ffffffff at nexthdr+0 (success 0 )
action order 1: gact action pass
random type none pass val 0
index 1 ref 1 bind 1 installed 0 sec used 0 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
~~~~
The u32 filter you asked about is basically just the plain u32 version
of what the filter above (in my opinion) should have done. And it works,
i.e. it matches 350ea60/ffffffff at 40.
tc -s filter ls dev enp0s31f6
~~~~
filter parent 1: protocol all pref 1 u32 chain 0
filter parent 1: protocol all pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 chain 0 fh 800::800 order 2048
key ht 800 bkt 0 flowid 1:4 not_in_hw (rule hit 2 success 1)
match 00001100/0000ff00 at 4 (success 1 )
match fd000000/ffffffff at 8 (success 1 )
match 00000041/ffffffff at 12 (success 1 )
match 00000000/ffffffff at 16 (success 1 )
match 00000011/ffffffff at 20 (success 1 )
match fd000000/ffffffff at 24 (success 1 )
match 00000041/ffffffff at 28 (success 1 )
match 00000000/ffffffff at 32 (success 1 )
match 00000010/ffffffff at 36 (success 1 )
match c350ea60/ffffffff at 40 (success 1 )
action order 1: gact action pass
random type none pass val 0
index 1 ref 1 bind 1 installed 0 sec
Action statistics:
Sent 162 bytes 1 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
~~~~
You could also use
tc filter add dev $IF protocol all parent 1:0 prio 1 u32 match ip6 src
${IP_SRC}/128 match ip6 dst ${IP_DST}/128 match ip6 protocol 17 0xff
match u32 0xc350ea60 0xffffffff at 40 classid 1:4 action pass
to achieve the same result, i.e. convert udp src/dst to their plain u32
notation and match at 40 instead of at nexthdr+40.
Best regards,
Daniel
On 08/05/18 11:10, Adam Nieścierowicz wrote:
I ask out of curiosity, Can you explain what you intend to achieve with
the following rules?
W dniu 04.08.2018 o 16:39, Daniel Thiele pisze:
c filter add dev $IF protocol all parent 1:0 prio 1 \
u32 \
match u32 0x00001100 0x0000ff00 at 4 \
match u32 0xfd000000 0xffffffff at 8 \
match u32 0x00000041 0xffffffff at 12 \
match u32 0x00000000 0xffffffff at 16 \
match u32 0x00000011 0xffffffff at 20 \
match u32 0xfd000000 0xffffffff at 24 \
match u32 0x00000041 0xffffffff at 28 \
match u32 0x00000000 0xffffffff at 32 \
match u32 0x00000010 0xffffffff at 36 \
match u32 0xc350ea60 0xffffffff at 40 \
classid 1:4 action pass
~~~~
--
---
Pozdrawiam
Adam Nieścierowicz
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
