On Tuesday 27 May 2003 11:49, Jurijs Dorofejevs wrote:> Hi! > > Can anybody explain me how does the mask work in filters? > > This example set filter for exactly port #2000 : > tc filter add dev eth1 parent 1:0 protocol ip prio 100 u32 match ip sport > 2000 0xffff classid 1:256 > > But if I need to set filter for the range of ports, for example, ports > from 2000 till 3000, what mask do I need? > > Trying google, I''ve read that Mask = 0xffff - (high_port - low_port), > that in my case will be: Mask = 0xffff - (3000 - 2000) = 0xfc17 > > tc filter add dev eth1 parent 1:0 protocol ip prio 100 u32 match ip sport > 2000 0xfc17 classid 1:256 > > But this example doesn''t work correctly and I suppose that I''m wrong > with mask defying algorithm. > > Any ideas?I don''t use the u32 mask myself, but I think you have to write it down in binary to understand. Easy example : match ip sport 2000 0xffff 2000 = 0000 0111 1101 0000 0xfff0 = 1111 1111 1111 0000 So all packets going from 0000 0111 1101 0000 (2000) to 0000 0111 1101 0000 (2031) are matched. Other example : match ip sport 2000 0xfc17 2000 = 0000 0111 1101 0000 0xfc17 = 1111 1100 0001 0111 This is more complicated. This matches all packets with 0000 01xx xxx1 x000 (x = 0 or 1) as source port. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Guys, A couple of days ago I sent a mail here regarding routing browsing packets to a different gateway. Well here''s an update which I believe will shed more light on the problem. I am now marking all TCP and udp packets on a test box with a one. I then route these packets via a routing table through an ISDN device. If I delete this route I instantly get destination net unreachable from the client side (my linux box) When I add it back in, it just sits and eventually times out. If I do a tcpdump on the server that I am trying to telnet I can see that it''s getting the packets that I send to establish the connection and is sending the SYN packets back, but yet my side still just sits. It almost appears that it doesn''t work with MASQ. Now before everyone starts nailing me about MASQ as per "IMPORTANT: We received a report that MASQ and SNAT at least collide with marking packets." and "Turn off the reverse path filter to make it work properly." - I have done that and I get the same results. It appears that the packets are being dropped somewhere. It feels like I am missing something really small and arb. Any help would be appreciated -- Riaan Annandale Client Services: Corporate Support Engineer TISCALI (PTY) LTD THE COMMUNICATION COMPANY 42 Wierda Road West, Wierda Valley, Sandton Mobile : Office : +27 11 286 5014 Fax : E-Mail : Riaan.Annandale@za.tiscali.com http://www.tiscali.co.za Disclaimer: This email is considered a business record and is therefore property of Tiscali. This email, and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator''s personal views and opinions, which do not necessarily reflect those of Tiscali. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify disclaimer@za.tiscali.com.
Sorry I made a typo :( "and is sending the SYN packets back" - SYN should be ACK On Tue, May 27, 2003 at 10:36:31AM +0200, Riaan Annandale wrote:> Hi Guys, > > A couple of days ago I sent a mail here regarding routing browsing > packets to a different gateway. Well here''s an update which I believe > will shed more light on the problem. > > I am now marking all TCP and udp packets on a test box with a one. > > I then route these packets via a routing table through an ISDN device. > > If I delete this route I instantly get destination net unreachable from > the client side (my linux box) > > When I add it back in, it just sits and eventually times out. > > If I do a tcpdump on the server that I am trying to telnet I can see > that it''s getting the packets that I send to establish the connection > and is sending the SYN packets back, but yet my side still just sits. It > almost appears that it doesn''t work with MASQ. > > Now before everyone starts nailing me about MASQ as per > "IMPORTANT: We received a report that MASQ and SNAT at least collide > with marking packets." and "Turn off the reverse path filter to make it > work properly." - I have done that and I get the same results. > > It appears that the packets are being dropped somewhere. > > It feels like I am missing something really small and arb. > > Any help would be appreciated > -- > Riaan Annandale > Client Services: Corporate Support Engineer > TISCALI (PTY) LTD > THE COMMUNICATION COMPANY > 42 Wierda Road West, Wierda Valley, Sandton > Mobile : > Office : +27 11 286 5014 > Fax : > E-Mail : Riaan.Annandale@za.tiscali.com > http://www.tiscali.co.za > Disclaimer: This email is considered a business record and is > therefore property of Tiscali. This email, and any files transmitted > with it are confidential and are intended solely for the use of the > individual or entity to whom they are addressed. This communication > represents the originator''s personal views and opinions, which do not > necessarily reflect those of Tiscali. If you are not the original > recipient or the person responsible for delivering the email to the > intended recipient, be advised that you have this email in error, and > that any use, dissemination, forwarding, printing, or copying of this > email is strictly prohibited. If you received this email in error, > please immediately notify disclaimer@za.tiscali.com. >---end quoted text--- -- Riaan Annandale Client Services: Corporate Support Engineer TISCALI (PTY) LTD THE COMMUNICATION COMPANY 42 Wierda Road West, Wierda Valley, Sandton Mobile : Office : +27 11 286 5014 Fax : E-Mail : Riaan.Annandale@za.tiscali.com http://www.tiscali.co.za Disclaimer: This email is considered a business record and is therefore property of Tiscali. This email, and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator''s personal views and opinions, which do not necessarily reflect those of Tiscali. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify disclaimer@za.tiscali.com.
On May 27, 2003 01:36 am, Riaan Annandale wrote:> Disclaimer: This email is considered a business record and is > therefore property of Tiscali. This email, and any files transmitted > with it are confidential and are intended solely for the use of the > individual or entity to whom they are addressed. This communication > represents the originator''s personal views and opinions, which do not > necessarily reflect those of Tiscali. If you are not the original > recipient or the person responsible for delivering the email to the > intended recipient, be advised that you have this email in error, and > that any use, dissemination, forwarding, printing, or copying of this > email is strictly prohibited. If you received this email in error, > please immediately notify disclaimer@za.tiscali.com.I love receiving this stuff :-) I think I must have received this email in error, since I''m on a public network and am *convinced* that your views represent those of Tiscali. Reporting as ordered. :-) -- Regards, Paul Evans _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tue, May 27, 2003 at 02:04:21AM -0700, Paul Evans wrote:> > I love receiving this stuff :-) > > I think I must have received this email in error, since I''m on a public > network and am *convinced* that your views represent those of Tiscali. > > Reporting as ordered. :-) > > -- > Regards, Paul Evans > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/LOL -- BSD ownz me -- Daniel Ortiz d.ortiz@in.ilimit.es ILIMIT Comunicacions Departament Sistemes http://www.ilimit.es Tel: (+34) 93 733 33 75 Fax: (+34) 93 733 32 43
Yes yes, let''s all have a good laugh. Even perfect people do stoopid things some times ;) Sorry guys, you''ll see that I have now sorted the problem with a send-hook. But seriously now, I still need a solution to my problem On Tue, May 27, 2003 at 11:12:55AM +0200, Daniel Ortiz wrote:> LOL > > -- > BSD ownz me > -- > > Daniel Ortiz > d.ortiz@in.ilimit.es > > ILIMIT Comunicacions > Departament Sistemes > http://www.ilimit.es > Tel: (+34) 93 733 33 75 > Fax: (+34) 93 733 32 43---end quoted text--- -- Regards, Riaan Annandale Linux Systems Engineer (LPIC-1, CCNA) 0861 22 55 86 riaana at mundane dot co dot za --------------------- Corrupt, adj.: In politics, holding an office of trust or profit.
Hi! Can anybody explain me how does the mask work in filters? This example set filter for exactly port #2000 : tc filter add dev eth1 parent 1:0 protocol ip prio 100 u32 match ip sport 2000 0xffff classid 1:256 But if I need to set filter for the range of ports, for example, ports from 2000 till 3000, what mask do I need? Trying google, I''ve read that Mask = 0xffff - (high_port - low_port), that in my case will be: Mask = 0xffff - (3000 - 2000) = 0xfc17 tc filter add dev eth1 parent 1:0 protocol ip prio 100 u32 match ip sport 2000 0xfc17 classid 1:256 But this example doesn''t work correctly and I suppose that I''m wrong with mask defying algorithm. Any ideas? Hope for your help! _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Howzit Guys, I got the problem sorted, I used the examples under "Routing for multiple uplinks/providers" to route stuff out the same interface that it comes and in, and voila!, bob''s yer uncle! I wonder if that might not be why the stuff mentioned below didn''t work in the first place. Well anyway, cheers! On Tue, May 27, 2003 at 10:36:31AM +0200, Riaan Annandale wrote:> Hi Guys, > > A couple of days ago I sent a mail here regarding routing browsing > packets to a different gateway. Well here''s an update which I believe > will shed more light on the problem. > > I am now marking all TCP and udp packets on a test box with a one. > > I then route these packets via a routing table through an ISDN device. > > If I delete this route I instantly get destination net unreachable from > the client side (my linux box) > > When I add it back in, it just sits and eventually times out. > > If I do a tcpdump on the server that I am trying to telnet I can see > that it''s getting the packets that I send to establish the connection > and is sending the SYN packets back, but yet my side still just sits. It > almost appears that it doesn''t work with MASQ. > > Now before everyone starts nailing me about MASQ as per > "IMPORTANT: We received a report that MASQ and SNAT at least collide > with marking packets." and "Turn off the reverse path filter to make it > work properly." - I have done that and I get the same results. > > It appears that the packets are being dropped somewhere. > > It feels like I am missing something really small and arb. > > Any help would be appreciated---end quoted text--- -- Regards, Riaan Annandale Linux Systems Engineer (LPIC-1, CCNA) 0861 22 55 86 riaana at mundane dot co dot za --------------------- Angels we have heard on High Tell us to go out and Buy. -- Tom Lehrer