Displaying 20 results from an estimated 60 matches for "nexthdr".
2002 Dec 02
1
ipip and nexthdr
...and experimentation, I am in a dead
end...
I am using several IPIP tunnels (linux ipip module, IP protocol 4).
I''d like to filter packets going through these tunnes to different
classes, on the ingress device, based on source and destination IP
_INSIDE THE TUNNEL_.
First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to
the next header in the packet, so I figured if it works for TCP, it
should also work for IP in IP, but it didn''t.
I looked at some ICMP echo request/reply packets with tcpdump dumping
packet contents in hex.
The IP header is 20 bytes. I trie...
2001 Jun 29
1
u32 nexthdr problem
I''m having trouble with nexthdr.
tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \
match ip protocol 0x6 0xff match u8 0x02 0x12 at nexthdr+13 flowid 10:3
fails to match my test packets whereas
tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \
match ip protocol 0x6 0xff match u8 0x02 0x12 at 33 flowid 10:...
2001 Dec 08
0
tc filter u32 nexthdr, chained filters?
Hi.
Is there anyone who has understood of how u32 nexthdr addressing is supposed
to work? (including the "tcp/icmp/.." matches who implicitly uses nexthdr)
From reading the kernel code it apparently is using the location set by
"offset at", but this seems to only be evaluated on hash parents, and only
for it''s children.....
2001 Jul 04
0
u32 nexthdr -> iptables --protocol tcp
I still think that nexthdr should be fixed, but I''d like to mention
that iptables --protocol tcp can do pretty much the same thing.
That is,
tc filter add dev $1 protocol ip parent 10:0 prio 1 u32 \
match ip protocol 0x6 0xff match u8 0x02 0x16 at nexthdr+13 flowid 10:3
can be replaced by
iptables -A PREROUTING...
2001 Dec 13
14
tc: u32 match in nexthdr not working?
Hello,
it seems, that filtering on nexthdr (TCP/UDP) content, especially
src or dst port, is not working.
The following has no effect on 2.4.16 or older (even 2.2) kernels:
# tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp
dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1
Even if
# tc filter ls dev eth0 pa...
2014 Oct 21
2
IPv6 UFO for VMs
...ivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
Our implementation of UFO for IPv6 does:
fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
fptr->nexthdr = nexthdr;
fptr->reserved = 0;
fptr->identification = skb_shinfo(skb)->ip6_frag_id;
which assumes ip6_frag_id has been set. That's only true if the local
stack constructed the skb; otherwise it appears we get zero.
This seems to be a regression as a result of:
commit 916e4cf46d...
2014 Oct 21
2
IPv6 UFO for VMs
...ivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
Our implementation of UFO for IPv6 does:
fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
fptr->nexthdr = nexthdr;
fptr->reserved = 0;
fptr->identification = skb_shinfo(skb)->ip6_frag_id;
which assumes ip6_frag_id has been set. That's only true if the local
stack constructed the skb; otherwise it appears we get zero.
This seems to be a regression as a result of:
commit 916e4cf46d...
2007 Aug 29
5
HTB does not respect the prio parameter
...1:40 htb rate 1000kbit ceil 55000kbit prio 3
quantum 60000 && \
/bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip u32 divisor 256 && \
/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \
ht 2:0: \
match u8 0x06 0xff at 9 \
match u8 0x10 0xff at nexthdr+13 \
flowid 1:10 && \
/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \
ht 2:0: \
match u8 0x06 0xff at 9 \
match u16 0x2711 0xffff at nexthdr+2 \
flowid 1:20 && \
/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \
ht 2:0: \
match u8 0x06 0...
2005 Nov 25
0
[RESEND] tc filter: match tcp src vs. match ip sport
Hi all :))
Sorry for asking again, but got no answers and google doesn''t
give useful information (seems like "nexthdr" doesn''t work right, but
I don''t know why...). I really want to know what am I doing wrong...
This filter matches what I want:
tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\
match ip sport 0x3000 0xf000 flowid 1:22
and traffic goes to...
2014 May 28
1
[Bug 946] New: Cannot invert a protocol: ip protocol != tcp
...$ sudo nft add rule ip test input ip protocol != icmp
* We list the table test, and It shows this problem:
$ sudo nft -nn list table ip test
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op == OP_EQ'
failed.
Also, we can reproduce it in the following cases:
- ah with nexthdr:
* We add the following rule, and It does not show any error.
$ sudo nft add rule ip test input ah nexthdr != esp
* We list the table test, It shows the following problem:
$ sudo nft -nn list table ip test
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op == OP_EQ'
fail...
2013 Nov 28
4
[PATCH net] xen-netback: fix fragment detection in checksum setup
...fall through */
+ case IPPROTO_FRAGMENT: {
+ struct frag_hdr *hp = (void *)(skb->data + off);
+
+ header_size = skb->network_header +
+ off +
+ sizeof(struct frag_hdr);
+ maybe_pull_tail(skb, header_size);
+
+ if (ntohs(hp->frag_off) & 0xFFF9)
+ fragment = true;
+
+ nexthdr = hp->nexthdr;
+ off += sizeof(struct frag_hdr);
+ break;
+ }
default:
done = true;
break;
--
1.7.10.4
2007 Sep 07
1
tc filter syntax (and general noobness)
...ader, I
am having difficulty getting the rest of the field. Mostly, it has to do
with offsets and which uX to use.
So, going off of what I think is correct, I have come up with this:
tc filter add dev eth1 parent 2: protocol ip prio 10 u32 match ip
protocol 6 match u32 0xff534d42 0xffffffff at nexthdr+23 flowid 2:50
I seriously doubt this is the proper way to match a Samba header.
So my question is this. How do I identify where the offset is for a
given header? I assume that (going off the LARTC How To) I can look at
output from wireshark and simply count to the field I am after. (This is...
2008 Sep 12
4
Custom build kernel patch fails big time.
...+static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
+{
+ struct iphdr *outer_iph = skb->nh.iph;
+ struct iphdr *inner_iph = skb->h.ipiph;
+
+ if (INET_ECN_is_ce(outer_iph->tos))
+ IP_ECN_set_ce(inner_iph);
+}
+
static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi,
u32 *seq)
{
switch (nexthdr) {
@@ -103,11 +113,11 @@
xfrm_vec[xfrm_nr++] = x;
- if (x->mode->input(x, skb))
+ if (x->mode->input(x, skb))
goto drop;
-
+
if (x->props.mode) {
- decaps = 1;
+...
2015 Jan 26
0
[PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
...htonl(id));
}
EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+void ipv6_skb_set_fragid(struct sk_buff *skb, __be32 frag_id)
+{
+ skb_shinfo(skb)->ip6_frag_id = frag_id;
+ skb->ufo_fragid_set = 1;
+}
+EXPORT_SYMBOL_GPL(ipv6_skb_set_fragid);
+
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index b6aa8ed..7cda88d 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
skb_shinfo(skb)->g...
2015 Jan 26
0
[PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
...htonl(id));
}
EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+void ipv6_skb_set_fragid(struct sk_buff *skb, __be32 frag_id)
+{
+ skb_shinfo(skb)->ip6_frag_id = frag_id;
+ skb->ufo_fragid_set = 1;
+}
+EXPORT_SYMBOL_GPL(ipv6_skb_set_fragid);
+
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index b6aa8ed..7cda88d 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
skb_shinfo(skb)->g...
2019 Oct 10
13
[Bug 1371] New: Concatenations Literal sets
https://bugzilla.netfilter.org/show_bug.cgi?id=1371
Bug ID: 1371
Summary: Concatenations Literal sets
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter:
2015 Feb 03
0
[PATCH v3 net 1/3] ipv6: Select fragment id during UFO segmentation if not set.
..._once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
+
+ id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr,
+ &rt->rt6i_src.addr);
+ fhdr->identification = htonl(id);
+}
+EXPORT_SYMBOL(ipv6_select_ident);
+
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index b6aa8ed..a562769 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
skb_shinfo(skb)->g...
2015 Feb 03
0
[PATCH v3 net 1/3] ipv6: Select fragment id during UFO segmentation if not set.
..._once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
+
+ id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr,
+ &rt->rt6i_src.addr);
+ fhdr->identification = htonl(id);
+}
+EXPORT_SYMBOL(ipv6_select_ident);
+
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index b6aa8ed..a562769 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
skb_shinfo(skb)->g...
2004 Feb 26
1
ESFQ Modification
...(iph->protocol == IPPROTO_TCP ||
@@ -137,6 +139,7 @@
struct ipv6hdr *iph = skb->nh.ipv6h;
h = iph->daddr.s6_addr32[3];
hs = iph->saddr.s6_addr32[3];
+ nfm = skb->nfmark;
h2 = hs^iph->nexthdr;
if (iph->nexthdr == IPPROTO_TCP ||
iph->nexthdr == IPPROTO_UDP ||
@@ -148,6 +151,7 @@
h = (u32)(unsigned long)skb->dst;
hs = (u32)(unsigned long)skb->sk;
h2 = hs^skb->protocol;
+ nfm =...
2013 Sep 04
6
[Bridge] bride: IPv6 multicast snooping enhancements
Hi,
Here are two, small feature changes I would like to submit to increase
the usefulness of the multicast snooping of the bridge code.
The first patch is an unaltered one I had submitted before, but since it
got no feedback I'm resubmitting it here for net-next. With the recently
added patch to disable snooping if there is no querier (b00589af + 248ba8ec05
+ 8d50af4fb), it should be a safe