LARTC - Oct 2004 - How to invert tc matches?

Hi,

I want to use inverted matches with tc-filter. I tried to invert the
matches with a "!", but this doesn''t seem to be the correct
syntax.


The following rules don''t work:

---------------------------snip-----------------------------------------

$TC filter $ACTION dev $DEV protocol ip parent 1:0 u32 match ip src
${NETWORK[$i]} !match ip dst 192.168.0.0/24 flowid 1:$(($(($i+1))*10));

------------------------------------------------------------------------

$TC filter $ACTION dev $DEV protocol ip parent 1:0 u32 match ip src
${NETWORK[$i]} match ip dst !192.168.0.0/24 flowid 1:$(($(($i+1))*10));

---------------------------snap-----------------------------------------

The rules should match all ip packets coming from networks in
192.168.0.XXX (the NETWORK[]-Array) but not match if the packets are
destinated for 192.168.0.0/24 as this is my internal network ;-)

Thanx for any hint

Rene Bartsch




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rene Bartsch wrote:
> Hi,
> 
> I want to use inverted matches with tc-filter. I tried to invert the
> matches with a "!", but this doesn''t seem to be the
correct syntax.
> 
> 
> The following rules don''t work:
> 
> ---------------------------snip-----------------------------------------
> 
> $TC filter $ACTION dev $DEV protocol ip parent 1:0 u32 match ip src
> ${NETWORK[$i]} !match ip dst 192.168.0.0/24 flowid 1:$(($(($i+1))*10));
use fw filter and iptables marking
or just iptables and classify target
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi everyone, and thanks for your help so far. 

I have been playing around with tc and htb for a couple of weeks now, and 
while I am nowhere near understanding everything here, I am beginning to 
know more about packets than I ever wanted to know. 

I have two university buildings with a 1mb connection to the Internet. The
two buildings (on either side of town) are connected through a tunnel
using their internet connection, so that the administration can use the
database across town. They have to share the connection with all the
students on both sides, and the traffic the teachers create. So the people
in admin have a hard time connecting to their database.

What I have done so far is to create two leaves 1:10 and 1:20 and filtered 
the traffic going to the database on the far end. What the admin there 
would like is, that the connection is fully available for everyone, until 
the secretary wants to look something up on the database. Then it should 
have top prority and all the other traffic should virtually stop.

I managed to apply the filters and have the packets ending up in the right 
leaf. But the results are far from satisfactory. 

#!/bin/bash
tc qdisc add dev eth1 root handle 1: htb default 30
tc class add dev eth1 parent 1: classid 1:1 htb rate 96mbit burst 15k
tc class add dev eth1 parent 1: classid 1:7 htb rate 128kbps burst 15k
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 96mbit burst 15k
tc class add dev eth1 parent 1:7 classid 1:20 htb rate 127kbps ceil 128kbps 
	burst 15k prio 0
tc class add dev eth1 parent 1:7 classid 1:30 htb rate 1kbps ceil 128kbps 
	burst 1k prio 2 
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10
U32="tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32"
$U32 match ip src xx.xx.xx.xx/26 flowid 1:10
$U32 match ip dst 10.190.19.0/28 match ip sport 19813 0xffff flowid 1:20

Only if I lower the ceiling on leaf 1:30 does it show any results. If I 
have the ceiling the same on both, there is no measureable result in 
speed. The both seem to share the connection equally.  

Am I missing the point, is it possible at all, or am I just too dum to get 
it right?

Thanks a lot, 

.peter

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wed, 2004-10-13 at 21:33, Peter Huetmannsberger
wrote:
> I have two university buildings with a 1mb connection to the Internet. The
> two buildings (on either side of town) are connected through a tunnel
A Tunnel eh.. so.. tun0?? (not reflected in below script?)
> the connection is fully available for everyone, until 
> the secretary wants to look something up on the database. Then it should 
> have top prority and all the other traffic should virtually stop.
Virtually Stop? Wow. That''s harsh.

> #!/bin/bash
> tc qdisc add dev eth1 root handle 1: htb default 30
> tc class add dev eth1 parent 1: classid 1:1 htb rate 96mbit burst 15k
Why is it 96mbit here?? I thought you had a 1mbit conn only? But anyway.
> tc qdisc add dev eth1 root handle 1: htb default 30
> tc class add dev eth1 parent 1: classid 1:7 htb rate 128kbps burst 15k
> tc class add dev eth1 parent 1:1 classid 1:10 htb rate 96mbit burst 15k
> tc class add dev eth1 parent 1:7 classid 1:20 htb rate 127kbps ceil 128kbps
> 	burst 15k prio 0
Wouldn''t it be better to use 
...rate 128kbps burst 15k prio 0 (?) the ceiling here serves not purpose
> tc class add dev eth1 parent 1:7 classid 1:30 htb rate 1kbps ceil 128kbps 
> 	burst 1k prio 2 
> U32="tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32"
> $U32 match ip src xx.xx.xx.xx/26 flowid 1:10
> $U32 match ip dst 10.190.19.0/28 match ip sport 19813 0xffff flowid 1:20
I''m not too familiar with usage of U32, I prefer the iptables MARK
scheme.

Eg: Sincec you know which is the dest IP, I would prefer to put in a
iptables rule to mark the dest IP.

iptables -t mangle -A POSTROUTING -d 10.190.19.0/28 -p tcp -j MARK
--set-mark 1
(but you have defined a source port(?)

tc filter add dev eth1 parent 1:7 protocol ip prio 0 handle 1 fw classid
1:20

> Only if I lower the ceiling on leaf 1:30 does it show any results. If I 
> have the ceiling the same on both, there is no measureable result in 
> speed. The both seem to share the connection equally.  
I think this is because your U32 is not matching the traffic.
Remember, your default rule is to put _all_ traffic in classid 1:30. 
Only when there are matches will they go to classid 1:20.
> Am I missing the point, is it possible at all, or am I just too dum to get 
> it right?
Don''t worry the community are here to help.

-- 
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive 
Neuromancer 10:55:05 up 1:27, 7 users, load average: 0.67, 0.28, 0.28 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/