Re: ipset support in tc
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Damn! Never thought of that. You are right - it might be my bash shell as everything was executed from the command line.2. tc ematch bug tc filter add dev ifb0 protocol ip parent f:0 prio 10\ basic match (ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 src,dst)') and ipset'(set4 src,src)'\ flowid f:38 produces the following error: syntax error near unexpected token `('Probably from your shell? Escaping the outer ( ) via \ works for me: .. match \(ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 \ src,dst)'\) and ipset'(set4 src,src)' flowid ...
3. Numerous tc ematch ipset bugs:Well, i did warn you :-)
No problem, I was expecting it.
3.1. bitmap:port can't produce any matches ipset n b_test-port bitmap:port range 22-22 timeout 0 ipset a b_test-port 22 tc filter add dev ifb0 protocol ip parent f:0 prio 14\ basic match ipset'(b_test-port src)'\ flowid f:26 produces no matches. This is also true when port match is present in an "and" | "or" logical expression, like ipset'(b_ssh-host src)' and ipset'(b_ssh-port src)'True. The bug is that classifiers run with skb->data pointing to the L2 header, but netfilter starts with skb->data pointing to L3 header. Please, consider re-testing with this patchlet:
Will do that straight away and recompile tc.
Should I assume that by applying your patchlet I could test the above bugs again or should I wait? Please let me know.3.2. hash:ip,port produces no matches: ipset n h_test-hosts hash:ip,port family inet timeout 0 hashsize 64 ipset a h_test-hosts 10.1.1.7,tcp:22 tc filter add dev ifb0 protocol ip parent f:0 prio 21\ basic match ipset'(h_test-hosts src,src)'\ flowid f:33Haven't tried this, but anything trying to access transport headers won't work due to bug above.
Thanks for testing!
Pleasure, any time! -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html