thr3ads.net - LARTC - More layer7 filtering issues [Sep 2003]

Derek

2003-Sep-23 10:47 UTC

More layer7 filtering issues

Hi all,

So, I've gotten a jist of a script going for my layer7 filters, but for some
reason its not rejecting the packets. Can someone give me a hand with this?
(I know, the script is probably ugly as sin, but I've hacked it together from
some misc stuff).

source:
-----------------------------------
tc qdisc add dev $1 root handle 1: htb default 30
tc class add dev $1 parent 1: classid 1:1 htb rate 9mbit burst 15k
#set up three classes attached to the root
tc class add dev $1 parent 1:1 classid 1:10 htb rate 20kbit burst 15k
tc class add dev $1 parent 1:1 classid 1:20 htb rate 2mbit burst 15k
tc class add dev $1 parent 1:1 classid 1:30 htb rate 5mbit burst 15k
#make each of them use stochasitic fairness queueing
tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $1 parent 1:30 handle 30: sfq perturb 10

tc filter add dev $1 protocol ip parent 1:0 prio 1 handle 1 layer7 protocol
msnmessenger classid 1:10
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol smtp
classid 1:20
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol ssh
classid 1:30

iptables -A FORWARD -s 10.0.0.0/24 --match mark --mark 1 -j REJECT

Would the iptables rule have any effect whatsoever? I don't think so, but it
would be nice.

Output of tc -s class show dev eth1
-----------------------------------------------------------------
class htb 1:1 root rate 9Mbit ceil 9Mbit burst 15334b cburst 12974b
 Sent 25012 bytes 287 pkts (dropped 0, overlimits 0)
 rate 2bps
 lended: 0 borrowed: 0 giants: 0
 tokens: 13 ctokens: 11

class htb 1:10 parent 1:1 leaf 10: prio 0 rate 20Kbit ceil 20Kbit burst 15Kb
cburst 1623b
 Sent 8625 bytes 116 pkts (dropped 0, overlimits 0)
 rate 1bps
 lended: 116 borrowed: 0 giants: 0
 tokens: 5975 ctokens: 609

class htb 1:20 parent 1:1 leaf 20: prio 0 rate 2Mbit ceil 2Mbit burst 15204b
cburst 4194b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 58 ctokens: 16

class htb 1:30 parent 1:1 leaf 30: prio 0 rate 5Mbit ceil 5Mbit burst 15072b
cburst 7863b
 Sent 16387 bytes 171 pkts (dropped 0, overlimits 0)
 rate 1bps
 lended: 171 borrowed: 0 giants: 0
 tokens: 23 ctokens: 12
----

So, 1:10 is getting data passed through it, but I can't figure out a way to
attach a policing filter that just drops them all into oblivion.


Any help is muy appreciated.

Derek

Thomas Graf

2003-Sep-25 08:22 UTC

link

More layer7 filtering issues

Hi

> So, 1:10 is getting data passed through it, but I can't figure out a way to
> attach a policing filter that just drops them all into oblivion.

tc filter add dev $DEV parent ffff: \
   protocol ip prio 20 \
   u32 match ip protocol 1 0xff \
   police mtu 1 drop \
   flowid :1

Drops all packets with a length > 1 byte which is probably
what you want.

Regards,

--
Thomas GRAF