Re: Some more test on ingress, ifb, fwmark | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On Wed, 2012-05-09 at 18:22 +0200, Marco Gaiarin wrote: > > Kernel, iproute and iptables are steadily *in sync* with debian > > packages and are patched with: > > I've rethinked a bit my setup, and at least i can give ifb a try. > > Simply because ''complex'' traffic goes into some OpenVPN tunnels, > where i can precisely control flow, using the opposite end. > > So, suffices to me to filter based on TCP port and protocol, and so > seems also that u32 suffices. > > > I've setup a test script, but: > > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 1 u32 match ip protocol 17 0xff match udp dport 22001 0xfff flowid 1:10 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 1 u32 match ip protocol 17 0xff match udp dport 22027 0xfff flowid 1:10 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 2 u32 match ip protocol 17 0xff match udp sport 22005 0xfff flowid 1:10 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 2 u32 match ip protocol 6 0xff match tcp port 22 0xfff flowid 1:20 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match tcp port 80 0xfff flowid 1:30 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 3 u32 match ip protocol 17 0xff match tcp port 443 0xfff flowid 1:30 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 3 u32 match tcp port 53 0xfff flowid 1:30 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 4 u32 match ip protocol 6 0xff match tcp port 25 0xfff flowid 1:40 > Illegal "match" > /sbin/tc filter add dev ifb2 parent 1:0 protocol ip prio 5 flowid 1:50 > Unknown filter "flowid", hence option "1:50" is unparsable > > I've google around a bit, but i'm a bit confused on tc command line > syntiax. > > Someone can point me to a tc/u32 reference, or at least to my mistakes? > > > Tnx. > tc filters can be quite daunting but a quick search on "tc u32 filter" showed: http://b42.cz/notes/u32_classifier/ http://lartc.org/howto/lartc.qdisc.filters.html http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.adv-filter.u32.html I believe "dport 22001 0xfff" and "tcp port 80 0xfff" are characteristic of the problems. First, the mask if 0xffff - note the missing f. I'm not 100% sure on the syntax because we use hash tables for matching specific protocols/ports but, I think you want something like: "match ip sport 80 0xffff" In a hash table, it would be something like: "match tcp dst 80 0xffff" I hope that's enough to get you going. Good luck - John -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html