LARTC - Feb 2007 - Order of ''tc filer''

Hi

How can I control which filter a packet will meet first?

I have tried changing the order of applying the tc filter scripts and
switching flowid number, but ''protocol ip u32 match ip src <ip
net>
match ip src 0.0.0.0/0'' always kicks in first?
>From my script
--------------------
# All traffic - Priority: Low
tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src
<ip net> match ip src 0.0.0.0/0 flowid 1:21
# Traffic between offices (IPSEC) - Priority: High
tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src
<ip net> match ip protocol 50 0xff flowid 1:22


# tc -s filter show dev eth0
----------------------------------
filter parent 1: protocol ip pref 2 u32
filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht
800 bkt 0 flowid 1:21  (rule hit 428 success 426)
  match c0000000/e0000000 at 16 (success 426 )
  match 00000000/00000000 at 12 (success 426 )
filter parent 1: protocol ip pref 49151 u32
filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1
filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key
ht 803 bkt 0 flowid 1:22  (rule hit 3 success 0)
  match c0000000/e0000000 at 16 (success 0 )
  match 00320000/00ff0000 at 8 (success 0 )

- Martin

OK - I solved the thing. Using ''prio 0'' actually gives the
filter a
low priority.

I just used ''prio 1'' instead and know I can control the order
:-)

- Martin

On 2/17/07, Martin Schiøtz <malinux@gmail.com>
wrote:
> Hi
>
> How can I control which filter a packet will meet first?
>
> I have tried changing the order of applying the tc filter scripts and
> switching flowid number, but ''protocol ip u32 match ip src <ip
net>
> match ip src 0.0.0.0/0'' always kicks in first?
>
> From my script
> --------------------
> # All traffic - Priority: Low
> tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src
> <ip net> match ip src 0.0.0.0/0 flowid 1:21
> # Traffic between offices (IPSEC) - Priority: High
> tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src
> <ip net> match ip protocol 50 0xff flowid 1:22
>
>
> # tc -s filter show dev eth0
> ----------------------------------
> filter parent 1: protocol ip pref 2 u32
> filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht
> 800 bkt 0 flowid 1:21  (rule hit 428 success 426)
>   match c0000000/e0000000 at 16 (success 426 )
>   match 00000000/00000000 at 12 (success 426 )
> filter parent 1: protocol ip pref 49151 u32
> filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1
> filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key
> ht 803 bkt 0 flowid 1:22  (rule hit 3 success 0)
>   match c0000000/e0000000 at 16 (success 0 )
>   match 00320000/00ff0000 at 8 (success 0 )
>
> - Martin
>

This is the reverse of what I believe I have read - you may want to continue
looking.  Prio 0 is supposed to be the highest, i believe.

Bob


---------- Original Message -----------
From: "Martin Schiøtz" <malinux@gmail.com>
To: lartc@mailman.ds9a.nl
Sent: Sat, 17 Feb 2007 19:14:46 +0100
Subject: [LARTC] Re: Order of ''tc filer''
> OK - I solved the thing. Using ''prio 0'' actually gives
the filter a
> low priority.
> 
> I just used ''prio 1'' instead and know I can control the
order :-)
> 
> - Martin
> 
> On 2/17/07, Martin Schiøtz <malinux@gmail.com> wrote:
> > Hi
> >
> > How can I control which filter a packet will meet first?
> >
> > I have tried changing the order of applying the tc filter scripts and
> > switching flowid number, but ''protocol ip u32 match ip src
<ip net>
> > match ip src 0.0.0.0/0'' always kicks in first?
> >
> > From my script
> > --------------------
> > # All traffic - Priority: Low
> > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src
> > <ip net> match ip src 0.0.0.0/0 flowid 1:21
> > # Traffic between offices (IPSEC) - Priority: High
> > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src
> > <ip net> match ip protocol 50 0xff flowid 1:22
> >
> >
> > # tc -s filter show dev eth0
> > ----------------------------------
> > filter parent 1: protocol ip pref 2 u32
> > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
> > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht
> > 800 bkt 0 flowid 1:21  (rule hit 428 success 426)
> >   match c0000000/e0000000 at 16 (success 426 )
> >   match 00000000/00000000 at 12 (success 426 )
> > filter parent 1: protocol ip pref 49151 u32
> > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1
> > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key
> > ht 803 bkt 0 flowid 1:22  (rule hit 3 success 0)
> >   match c0000000/e0000000 at 16 (success 0 )
> >   match 00320000/00ff0000 at 8 (success 0 )
> >
> > - Martin
> >
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
------- End of Original Message -------

I thought so too - maybe I was too fast.

I want too be sure that a packet always first is checked/filtered
against src <ip net> and protocol 50 and if it matches it goes to
flowid 1:21 (prio 0 - high).
Then if it does not match above - it is checked/filtered against src
<ip net> and dst <any ip> and goes to flowid 1:22 (prio 2 - low).

But it seems that a filter with prio 0 always is the last filter to be
checked and filters with prio 1,2,3.... is checked in that same order.
It seem that the order has something to do with the pref value the
filter gets.
prio 1 = pref 1
prio 2 = pref 2
prio 3 = pref 3
...
prio 0 = pref 49151

Anyway I don''t think that the prio should have anything to do with the
order of the filtering. If it had I guess that a filter with prio 0
would be first filter to be check.
The question is can I somehow in some reasonable way control the order
of the filtering?

- Martin

On 2/17/07, Bob Puff <bob@nleaudio.com> wrote:
> This is the reverse of what I believe I have read - you may want to
continue
> looking.  Prio 0 is supposed to be the highest, i believe.
>
> Bob
>
>
> ---------- Original Message -----------
> From: "Martin Schiøtz" <malinux@gmail.com>
> To: lartc@mailman.ds9a.nl
> Sent: Sat, 17 Feb 2007 19:14:46 +0100
> Subject: [LARTC] Re: Order of ''tc filer''
>
> > OK - I solved the thing. Using ''prio 0'' actually
gives the filter a
> > low priority.
> >
> > I just used ''prio 1'' instead and know I can control
the order :-)
> >
> > - Martin
> >
> > On 2/17/07, Martin Schiøtz <malinux@gmail.com> wrote:
> > > Hi
> > >
> > > How can I control which filter a packet will meet first?
> > >
> > > I have tried changing the order of applying the tc filter scripts
and
> > > switching flowid number, but ''protocol ip u32 match ip
src <ip net>
> > > match ip src 0.0.0.0/0'' always kicks in first?
> > >
> > > From my script
> > > --------------------
> > > # All traffic - Priority: Low
> > > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip
src
> > > <ip net> match ip src 0.0.0.0/0 flowid 1:21
> > > # Traffic between offices (IPSEC) - Priority: High
> > > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip
src
> > > <ip net> match ip protocol 50 0xff flowid 1:22
> > >
> > >
> > > # tc -s filter show dev eth0
> > > ----------------------------------
> > > filter parent 1: protocol ip pref 2 u32
> > > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
> > > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050
key ht
> > > 800 bkt 0 flowid 1:21  (rule hit 428 success 426)
> > >   match c0000000/e0000000 at 16 (success 426 )
> > >   match 00000000/00000000 at 12 (success 426 )
> > > filter parent 1: protocol ip pref 49151 u32
> > > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1
> > > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order
2048 key
> > > ht 803 bkt 0 flowid 1:22  (rule hit 3 success 0)
> > >   match c0000000/e0000000 at 16 (success 0 )
> > >   match 00320000/00ff0000 at 8 (success 0 )
> > >
> > > - Martin
> > >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> ------- End of Original Message -------
>
>

Same here.
In fact every article I''ve read recommend the use of prio 0 for
administration purposes only.

On 2/17/07, Bob Puff <bob@nleaudio.com> wrote:
>
> This is the reverse of what I believe I have read - you may want to
> continue
> looking.  Prio 0 is supposed to be the highest, i believe.
>
> Bob
>
>
> ---------- Original Message -----------
> From: "Martin Schiøtz" <malinux@gmail.com>
> To: lartc@mailman.ds9a.nl
> Sent: Sat, 17 Feb 2007 19:14:46 +0100
> Subject: [LARTC] Re: Order of ''tc filer''
>
> > OK - I solved the thing. Using ''prio 0'' actually
gives the filter a
> > low priority.
> >
> > I just used ''prio 1'' instead and know I can control
the order :-)
> >
> > - Martin
> >
> > On 2/17/07, Martin Schiøtz <malinux@gmail.com> wrote:
> > > Hi
> > >
> > > How can I control which filter a packet will meet first?
> > >
> > > I have tried changing the order of applying the tc filter scripts
and
> > > switching flowid number, but ''protocol ip u32 match ip
src <ip net>
> > > match ip src 0.0.0.0/0'' always kicks in first?
> > >
> > > From my script
> > > --------------------
> > > # All traffic - Priority: Low
> > > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip
src
> > > <ip net> match ip src 0.0.0.0/0 flowid 1:21
> > > # Traffic between offices (IPSEC) - Priority: High
> > > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip
src
> > > <ip net> match ip protocol 50 0xff flowid 1:22
> > >
> > >
> > > # tc -s filter show dev eth0
> > > ----------------------------------
> > > filter parent 1: protocol ip pref 2 u32
> > > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
> > > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050
key ht
> > > 800 bkt 0 flowid 1:21  (rule hit 428 success 426)
> > >   match c0000000/e0000000 at 16 (success 426 )
> > >   match 00000000/00000000 at 12 (success 426 )
> > > filter parent 1: protocol ip pref 49151 u32
> > > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1
> > > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order
2048 key
> > > ht 803 bkt 0 flowid 1:22  (rule hit 3 success 0)
> > >   match c0000000/e0000000 at 16 (success 0 )
> > >   match 00320000/00ff0000 at 8 (success 0 )
> > >
> > > - Martin
> > >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> ------- End of Original Message -------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc