Hi. I want to drop silently locally generated packets on a specific interface. I tried 2 approaches: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc filter add dev eth0 parent 1: proto ip u32 match ip dst 10.10.10.1 flowid 1:1 police conform-exceed drop/drop tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 tc qdisc add dev eth0 parent 1:2 handle 3:0 netem drop 100 tc filter add dev eth0 parent 1: proto ip u32 match ip dst 10.10.10.1 flowid 1:2 Both work (drop the packets to 10.10.10.1 and pass any others) but when I run "ping 10.10.10.1" I get after some time continuously "ping: sendmsg: No buffer space available". Any idea why is this happening? As well how could I drop packets without application being able to detect it? Thanks much, Alexander _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Aleksandar Kostadinov
2007-May-16 22:14 UTC
Re: Re: drop silently locally generated packets
On 5/16/07, Gustin Johnson <gjohnson@equinox-eng.com> wrote:> > Is there a reason you are not using iptables to drop these packets?yes. First it is not invisible for the application (try yourself with ping). If I use QUEUE though it''s really transparent. Ask netfilter guys why. But I need these packets to be received locally and that''s why iptables can''t help. I mean I give an example using ping but I am actually going to handle multicast packets that have to be received by other local processes. I just don''t want these to go out of the machine. Applications are not in my control to change ttl or whatever. The solutions I propose seem to work fine, but I''m not sure if there aren''t any side effects that could appear depending on how the application has been written. The only thing returning errors I''ve found is ping but could I know if any application I''m running will work fine? The other tool I could try is mrouted but I think there should be an easier way. This drops packets originating on the Linux box> iptables -A OUTPUT -d 10.10.10.1 -j DROP > > The following drops packets that originate elsewhere (such as a NAT''d LAN) > iptables -A FORWARD -d 10.10.10.1 -j DROP > >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc