Ming-Ching Tiew
2007-Aug-16 09:20 UTC
Unable to match/classify non-icmp traffic with TOS bigger than 0x10
This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.
I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.
But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.
The full story as follows :-
1. On the source testing machine, I do this to set the tos and dscp settings
:-
(A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
( to make ssh tos value 0x10 )
or
(B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a
( to make ssh DSCP value 0x68 )
2. Then on the bridge machine, I have tc filter as follows :-
(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A.
It shows that the traffic has been classified correctly.
(B)
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.
(C)
However if I ping side B of the bridge from side A, it shows
that icmp could be classified into class 1:10.
Why it is just not possible to classify anything other than icmp ?
Regards.
--------------------------------------------------------
Important Warning!
***************************
This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended for the
use of the person to whom it is addressed. If you are not the intended
recipient, you do not have permission to read, use, disseminate, distribute,
copy or retain any part of this communication or its attachments in any form. If
this e-mail was sent to you by mistake, please take the time to notify the
sender so that they can identify the problem and avoid any more mistakes in
sending e-mail to you. The unauthorised use of information contained in this
communication or its attachments may result in legal action against any person
who uses it.
Salim S I
2007-Aug-17 02:47 UTC
RE: Unable to match/classify non-icmp traffic with TOS biggerthan 0x10
Is it because the TOS and DSCP values are different?
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10
This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.
I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.
But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.
The full story as follows :-
1. On the source testing machine, I do this to set the tos and dscp
settings
:-
(A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
( to make ssh tos value 0x10 )
or
(B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a
( to make ssh DSCP value 0x68 )
2. Then on the bridge machine, I have tc filter as follows :-
(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A.
It shows that the traffic has been classified correctly.
(B)
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.
(C)
However if I ping side B of the bridge from side A, it shows
that icmp could be classified into class 1:10.
Why it is just not possible to classify anything other than icmp ?
Regards.
--------------------------------------------------------
Important Warning!
***************************
This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Salim S I
2007-Aug-17 02:58 UTC
RE: Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10
Sorry, I hadn''t seen 0x68 match.
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Salim S I
Sent: Friday, August 17, 2007 10:47 AM
To: ''Ming-Ching Tiew''; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10
Is it because the TOS and DSCP values are different?
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10
This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.
I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.
But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.
The full story as follows :-
1. On the source testing machine, I do this to set the tos and dscp
settings
:-
(A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
( to make ssh tos value 0x10 )
or
(B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a
( to make ssh DSCP value 0x68 )
2. Then on the bridge machine, I have tc filter as follows :-
(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A.
It shows that the traffic has been classified correctly.
(B)
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.
(C)
However if I ping side B of the bridge from side A, it shows
that icmp could be classified into class 1:10.
Why it is just not possible to classify anything other than icmp ?
Regards.
--------------------------------------------------------
Important Warning!
***************************
This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Salim S I
2007-Aug-17 03:03 UTC
RE: Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10
Did you try to capture the packets with tcpdump or something and check
the TOS field? Was it correct?
I had a similar set up before, though not bridge, and it worked.
-----Original Message-----
From: Salim S I [mailto:salim.si@cipherium.com.tw]
Sent: Friday, August 17, 2007 10:59 AM
To: ''Salim S I''; ''Ming-Ching Tiew'';
lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10
Sorry, I hadn''t seen 0x68 match.
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Salim S I
Sent: Friday, August 17, 2007 10:47 AM
To: ''Ming-Ching Tiew''; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10
Is it because the TOS and DSCP values are different?
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10
This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.
I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.
But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.
The full story as follows :-
1. On the source testing machine, I do this to set the tos and dscp
settings
:-
(A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
( to make ssh tos value 0x10 )
or
(B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a
( to make ssh DSCP value 0x68 )
2. Then on the bridge machine, I have tc filter as follows :-
(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A.
It shows that the traffic has been classified correctly.
(B)
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
match ip tos 0x68 0xfc flowid 1:10
Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.
(C)
However if I ping side B of the bridge from side A, it shows
that icmp could be classified into class 1:10.
Why it is just not possible to classify anything other than icmp ?
Regards.
--------------------------------------------------------
Important Warning!
***************************
This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc