LARTC - Oct 2005 - tc filter not filtering -or- what am I going wrong?

Dear All

I am trying a very simple set up: (a bit long message follows)


#Flush previous definitions
 $TC qdisc del dev $VVNET root >&/dev/null
 $TC qdisc del dev $INTERNET root >&/dev/null
 $IPT -t mangle -D PREROUTING -i $INTERNET -d 200.231.56.0/24 -j IMQ --todev 0

# Mothers off all disciplines
$TC qdisc add dev $VVNET root handle 1: htb default FFFF r2q 1
$TC qdisc add dev $INTERNET root handle 1: htb default FFFF r2q 1

#Master Class - outputs to local radio network and internet
$TC class add dev $VVNET parent 1: classid 1:1 htb rate 256Kbit ceil 256Kbit
$TC class add dev $INTERNET parent 1: classid 1:1 htb rate 256Kbit ceil 256Kbit

#Everything coming from internet to the clients goes thru IMQ
$IPT -t mangle -A PREROUTING -i $INTERNET -d 1.2.3.0/24 -j IMQ --todev 0
$IP link set imq0 up

#Ping classes
$TC class add dev $INTERNET parent 1:1 classid 1:22 htb \
        rate 100Kbit ceil 100Kbit
$TC class add dev $VVNET parent 1:1 classid 1:22 htb \
        rate 100Kbit ceil 100Kbit

So far no news! Let try some filtering: 

$TC filter add dev $VVNET protocol ip \
 parent 1:0 prio 2 u32 \
 match ip icmp_type 0 0xff flowid 1:22
$TC filter add dev $VVNET protocol ip \
 parent 1:0 prio 2 u32 \
 match ip icmp_type 8 0xff flowid 1:22

$TC filter add dev $INTERNET protocol ip \
 parent 1:0 prio 2 u32 \
 match ip icmp_type 0 0xff flowid 1:22
$TC filter add dev $INTERNET protocol ip \
 parent 1:0 prio 2 u32 \
 match ip icmp_type 8 0xff flowid 1:22


What do I mean!? Every single icmp (request or reply) goes thru 
its own class.
But if I ping interface $INTERNET address (from outside)
''tc -s class show dev $INTERNET'' counter for class 1:22
doesn''t increment!
(pings do get replyed). There is sometimes something passing thru 1:22 but it 
is certainly not icmp packets I am filtering.
For the records: default class 1:ffff counter is NOT incrementing as well.

What is wrong with my setup??

# tc filter ls dev eth3  ($INTERNET is eth3)
filter parent 1: protocol ip pref 2 u32 
filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 
filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 \
bkt 0 flowid 1:22 match 00000000/ff000000 at 20
filter parent 1: protocol ip pref 2 u32 fh 800::801 order 2049 key ht 800 \
bkt 0 flowid 1:22 match 08000000/ff000000 at 20

(BTW this offset ''at 20'' is it decimal or hex???
''tc add filter'' put it there, not me.))


# tc  -s class show dev eth3 |head -5 ; echo sleeping 5 seconds; \
sleep 5 ;tc  -s class show dev eth3 |head -5
class htb 1:22 parent 1:1 prio 0 rate 100Kbit ceil 100Kbit\
 burst 1727b cburst 1727b 
 Sent 44408169 bytes 58800 pkts (dropped 0, overlimits 0) 
 lended: 58800 borrowed: 0 giants: 0
 tokens: 105984 ctokens: 105984

sleeping 5 seconds

class htb 1:22 parent 1:1 prio 0 rate 100Kbit ceil 100Kbit\
 burst 1727b cburst 1727b 
 Sent 44408169 bytes 58800 pkts (dropped 0, overlimits 0) 
 lended: 58800 borrowed: 0 giants: 0
 tokens: 105984 ctokens: 105984

# 

Thanx for your time
Regards

-- 

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \