How can i redirect all traffic that not come from port 80 to a flow ? i was thing about some like tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport !80 ...... But this not work. Another doubt, if i have two rules that intersects , for example , one filter with u32 match ip src 10.10.10.10 flowid 1:10 and other with u32 match sport 80 0xffff flowid 1:11 , which one will work in case of a packet to 10.10.10.10 with sport 80 ??? []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
On Wednesday 02 May 2007 10:36, Salatiel Filho wrote:> How can i redirect all traffic that not come from port 80 to a flow ? > > i was thing about some like > > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport > !80 ......Maybe you should try with iptables/tc solution: iptables -t <table> -A <chain> -p tcp --sport ! 80 0xffff -j MARK --set-mark 5 tc filter add dev imq1 parent 1: handle 5 fw flowid ...> > But this not work. > > Another doubt, if i have two rules that intersects , for example , > one filter with u32 match ip src 10.10.10.10 flowid 1:10 > and other with u32 match sport 80 0xffff flowid 1:11 , which one will > work in case of a packet to 10.10.10.10 with sport 80 ???From all filters in the current tc node, those with current priority, will match in the same order you declare them. Maybe you want to do something like: |-------------| | 10.10.10.10 | |-------------| / \ / \ |---------| |----------| | default | | sport 80 | |---------| |----------| then you will have the traffic from 10.10.10.10 going to the subtree root, and the traffic that also has port 80 as source, will go to the right child of the tree. Maybe the rules will like as the following: iptables -t mangle -A PREROUTING -s 10.10.10.10 -j MARK --set-mark 4 ... // parent (node 10.10.10.10 on *figure*) tc class add dev imq1 parent 1:1 classid 1:10 htb rate ... // "default" node tc class add dev imq1 parent 1:10 classid 1:11 htb rate ... // "sport 80" node tc class add dev imq1 parent 1:10 classid 1:12 htb rate ... ... // filter to match the traffic that will go to "sport 80" node tc filter add dev imq1 protocol ip parent 1: prio 1 u32 match ip src 10.10.10.10 match ip sport 80 0xffff flowid 1:20 // filter to match the rest of the traffic from 10.10.10.10 (going to "default") tc filter add dev imq1 protocol ip parent 1: prio 1 u32 match ip src 10.10.10.10 flowid 1:20 -- Alejandro Ramos Encinosa <alex@uh.cu> Fac. Matemática Computación Universidad de La Habana
Salatiel Filho wrote:> How can i redirect all traffic that not come from port 80 to a flow ? > > i was thing about some like > > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport > !80 ...... > > But this not work. > > Another doubt, if i have two rules that intersects , for example , > one filter with u32 match ip src 10.10.10.10 flowid 1:10 > and other with u32 match sport 80 0xffff flowid 1:11 , which one will > work in case of a packet to 10.10.10.10 with sport 80 ???You need to use prio to order the rules - anything after a rule that matches port 80 will be ! 80 - you cannot make a rule that negates matches directly. If the structure of your htb etc is deep you can make filters attach to parents other than root, but you need to filter the traffic to those flowids first. You can match more than one thing with one filter rule so you can match prio X src ip and 80 then follow with prio (X+1) src ip. Andy.
>On 5/3/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote: > Salatiel Filho wrote: > > How can i redirect all traffic that not come from port 80 to a flow ? > > > > i was thing about some like > > > > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport > > !80 ...... > > > > But this not work. > > > > Another doubt, if i have two rules that intersects , for example , > > one filter with u32 match ip src 10.10.10.10 flowid 1:10 > > and other with u32 match sport 80 0xffff flowid 1:11 , which one will > > work in case of a packet to 10.10.10.10 with sport 80 ??? > > You need to use prio to order the rules - anything after a rule that > matches port 80 will be ! 80 - you cannot make a rule that negates > matches directly. If the structure of your htb etc is deep you can make > filters attach to parents other than root, but you need to filter the > traffic to those flowids first. You can match more than one thing with > one filter rule so you can match prio X src ip and 80 then follow with > prio (X+1) src ip. > > Andy. > >Well , i am having a few troubles making this work. I have some like this in pseudo tc rulez :) Root class Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254 Class 2 paret ROOT prio 0 filter u32 match dport 22 Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254 default Shouldn''t traffic from source port 80 and destination 10.0.0.254 go through class 1 ? I can not make a way to this work, traffic to 10.0.0.254 is always falling in to class 3 :/ Am i missing something ? -- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
Salatiel Filho wrote:> Well , i am having a few troubles making this work. > I have some like this in pseudo tc rulez :) > Root class > Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254 > Class 2 paret ROOT prio 0 filter u32 match dport 22 > Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254 > default > > Shouldn''t traffic from source port 80 and destination 10.0.0.254 go > through class 1 ? > I can not make a way to this work, traffic to 10.0.0.254 is always > falling in to class 3 :/ > Am i missing something ?prio 1 is the top prio for filters 0 ends up much lower. I think two prio 1s should work in order of entry, but I would use 1 and 2 to be sure. I have seen reverse order of entry if you don''t use prio at all ... tc -s filter ls dev $DEV parent X:Y should help you see what''s going on. Andy.
On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:> Salatiel Filho wrote: > > > Well , i am having a few troubles making this work. > > I have some like this in pseudo tc rulez :) > > Root class > > Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254 > > Class 2 paret ROOT prio 0 filter u32 match dport 22 > > Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254 > > default > > > > Shouldn''t traffic from source port 80 and destination 10.0.0.254 go > > through class 1 ? > > I can not make a way to this work, traffic to 10.0.0.254 is always > > falling in to class 3 :/ > > Am i missing something ? > > prio 1 is the top prio for filters 0 ends up much lower. > > I think two prio 1s should work in order of entry, but I would use 1 and > 2 to be sure. I have seen reverse order of entry if you don''t use prio > at all ... > > tc -s filter ls dev $DEV parent X:Y > > should help you see what''s going on. > > Andy. > > > >Changed to this: tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1 tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit prio 7 quantum 1500 # DEFAULT tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil 1024kbit prio 0 quantum 1500 tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst 192.168.10.1 match ip sport 80 0xffff flowid 1:2 # FROM HTTP DEST TO 192.168.10.1 tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil 1024kbit prio 0 quantum 1500 tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil 1024kbit prio 7 quantum 1500 tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst 192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1 But all traffic is still flowing to 1:900 :/ -- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
Salatiel Filho wrote:> On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote: >> Salatiel Filho wrote: >> >> > Well , i am having a few troubles making this work. >> > I have some like this in pseudo tc rulez :) >> > Root class >> > Class 1 parent ROOT prio 0 filter u32 match sport 80 dst >> 10.0.0.254 >> > Class 2 paret ROOT prio 0 filter u32 match dport 22 >> > Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254 >> > default >> > >> > Shouldn''t traffic from source port 80 and destination 10.0.0.254 go >> > through class 1 ? >> > I can not make a way to this work, traffic to 10.0.0.254 is always >> > falling in to class 3 :/ >> > Am i missing something ? >> >> prio 1 is the top prio for filters 0 ends up much lower. >> >> I think two prio 1s should work in order of entry, but I would use 1 and >> 2 to be sure. I have seen reverse order of entry if you don''t use prio >> at all ... >> >> tc -s filter ls dev $DEV parent X:Y >> >> should help you see what''s going on. >> >> Andy. >> >> >> >> > > Changed to this: > > tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1 > tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit > prio 7 quantum 1500 # DEFAULT > > tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil > 1024kbit prio 0 quantum 1500 > tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst > 192.168.10.1 match ip sport 80 0xffff flowid 1:2 # FROM HTTP DEST TO > 192.168.10.1 > > tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil > 1024kbit prio 0 quantum 1500 > tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil > 1024kbit prio 7 quantum 1500 > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst > 192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1 > > But all traffic is still flowing to 1:900 :/Hmm that should work - as long as imq1 hooks in prerouting and after nat if it goes to 1:900 and not 1:5 I suppose it is seeing the address OK. This is ingress traffic and you are downloading from an http server? The way you have set up htb the classes won''t share bandwidth. What does tc -s filter ls dev imq1 show? Andy.
On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:> Salatiel Filho wrote: > > On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote: > >> Salatiel Filho wrote: > >> > >> > Well , i am having a few troubles making this work. > >> > I have some like this in pseudo tc rulez :) > >> > Root class > >> > Class 1 parent ROOT prio 0 filter u32 match sport 80 dst > >> 10.0.0.254 > >> > Class 2 paret ROOT prio 0 filter u32 match dport 22 > >> > Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254 > >> > default > >> > > >> > Shouldn''t traffic from source port 80 and destination 10.0.0.254 go > >> > through class 1 ? > >> > I can not make a way to this work, traffic to 10.0.0.254 is always > >> > falling in to class 3 :/ > >> > Am i missing something ? > >> > >> prio 1 is the top prio for filters 0 ends up much lower. > >> > >> I think two prio 1s should work in order of entry, but I would use 1 and > >> 2 to be sure. I have seen reverse order of entry if you don''t use prio > >> at all ... > >> > >> tc -s filter ls dev $DEV parent X:Y > >> > >> should help you see what''s going on. > >> > >> Andy. > >> > >> > >> > >> > > > > Changed to this: > > > > tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1 > > tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit > > prio 7 quantum 1500 # DEFAULT > > > > tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil > > 1024kbit prio 0 quantum 1500 > > tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst > > 192.168.10.1 match ip sport 80 0xffff flowid 1:2 # FROM HTTP DEST TO > > 192.168.10.1 > > > > tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil > > 1024kbit prio 0 quantum 1500 > > tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil > > 1024kbit prio 7 quantum 1500 > > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst > > 192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1 > > > > But all traffic is still flowing to 1:900 :/ > > Hmm that should work - as long as imq1 hooks in prerouting and after nat > if it goes to 1:900 and not 1:5 I suppose it is seeing the address OK.Yes , IMQ hooks in prerouting after nat , i have a very odd setup.> > This is ingress traffic and you are downloading from an http server?Yeah :)> > The way you have set up htb the classes won''t share bandwidth.I know , i need this in this class, like a said a odd setup :)> > What does tc -s filter ls dev imq1 show?Right now i can not copy the output here. But when i took a look i had ZERO packets going through that class :/> > Andy. > > > >-- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".