> I've some problems using the u32 classifier in a CBQ tree, i.e I'm able
> to filter with some rules like 'match ip dst ', 'match ip dport' but I
> can't filter with rules like 'match tcp dst', or 'match u8 0x10 0xff at
> nexthdr+2' in order to point directly to the tcp destination port in
> the TCP fragment . It can be a problem I think in case of IP packets
> with options.
As far as I can see the nexthdr+N option simply does not work.
You can simulate it to a certain extent by testing the ip header length
for the default, and then just using the standard offset.
Here is an example of finding TCP ACK's:
# match acks the hard way,
# IP protocol 6,
# IP header length 0x5(32 bit words),
# IP Total length 0x34
# TCP ack set (bit 5, offset 33)
tc filter add dev $IF parent 20:0 protocol ip prio 10 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x34 0xff at 3 \
match u8 0x10 0xff at 33 \
flowid 20:23
Maybe someday nexthdr will get fixed....
--
sdjl@fireplug.net
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
