On Fri, 2 Aug 2019 13:00:23 +0200, Pablo Neira Ayuso wrote: > Hi Jakub, > > If the user specifies 'pref' in the new rule, then tc checks if there > is a tcf_proto object that matches this priority. If the tcf_proto > object does not exist, tc creates a tcf_proto object and it adds the > new rule to this tcf_proto. > > In cls_flower, each tcf_proto only stores one single rule, so if the > user tries to add another rule with the same 'pref', cls_flower > returns EEXIST. 😳 So you're saying this doesn't work? ip link add type dummy tc qdisc add dev dummy0 clsact tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::1 action drop tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::2 action drop tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::3 action drop tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::4 action drop tc filter add dev dummy0 ingress protocol ipv6 prio 123 flower src_ip 1111::5 action drop tc filter show dev dummy0 ingress filter protocol ipv6 pref 123 flower chain 0 filter protocol ipv6 pref 123 flower chain 0 handle 0x1 eth_type ipv6 src_ip 1111::1 not_in_hw action order 1: gact action drop random type none pass val 0 index 1 ref 1 bind 1 filter protocol ipv6 pref 123 flower chain 0 handle 0x2 eth_type ipv6 src_ip 1111::2 not_in_hw action order 1: gact action drop random type none pass val 0 index 2 ref 1 bind 1 filter protocol ipv6 pref 123 flower chain 0 handle 0x3 eth_type ipv6 src_ip 1111::3 not_in_hw action order 1: gact action drop random type none pass val 0 index 3 ref 1 bind 1 filter protocol ipv6 pref 123 flower chain 0 handle 0x4 eth_type ipv6 src_ip 1111::4 not_in_hw action order 1: gact action drop random type none pass val 0 index 4 ref 1 bind 1 filter protocol ipv6 pref 123 flower chain 0 handle 0x5 eth_type ipv6 src_ip 1111::5 not_in_hw action order 1: gact action drop random type none pass val 0 index 5 ref 1 bind 1 > I'll prepare a new patchset not to map the priority to the netfilter > basechain priority, instead the rule priority will be internally > allocated for each new rule. In which you're adding fake priorities to rules, AFAICT, and continue to baffle me.
