search for: nexthdr

...and experimentation, I am in a dead end... I am using several IPIP tunnels (linux ipip module, IP protocol 4). I''d like to filter packets going through these tunnes to different classes, on the ingress device, based on source and destination IP _INSIDE THE TUNNEL_. First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to the next header in the packet, so I figured if it works for TCP, it should also work for IP in IP, but it didn''t. I looked at some ICMP echo request/reply packets with tcpdump dumping packet contents in hex. The IP header is 20 bytes. I trie...

I''m having trouble with nexthdr. tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at nexthdr+13 flowid 10:3 fails to match my test packets whereas tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at 33 flowid 10:...

Hi. Is there anyone who has understood of how u32 nexthdr addressing is supposed to work? (including the "tcp/icmp/.." matches who implicitly uses nexthdr) From reading the kernel code it apparently is using the location set by "offset at", but this seems to only be evaluated on hash parents, and only for it''s children.....

I still think that nexthdr should be fixed, but I''d like to mention that iptables --protocol tcp can do pretty much the same thing. That is, tc filter add dev $1 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x16 at nexthdr+13 flowid 10:3 can be replaced by iptables -A PREROUTING...

Hello, it seems, that filtering on nexthdr (TCP/UDP) content, especially src or dst port, is not working. The following has no effect on 2.4.16 or older (even 2.2) kernels: # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 Even if # tc filter ls dev eth0 pa...

...ivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); fptr->nexthdr = nexthdr; fptr->reserved = 0; fptr->identification = skb_shinfo(skb)->ip6_frag_id; which assumes ip6_frag_id has been set. That's only true if the local stack constructed the skb; otherwise it appears we get zero. This seems to be a regression as a result of: commit 916e4cf46d...

...ivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); fptr->nexthdr = nexthdr; fptr->reserved = 0; fptr->identification = skb_shinfo(skb)->ip6_frag_id; which assumes ip6_frag_id has been set. That's only true if the local stack constructed the skb; otherwise it appears we get zero. This seems to be a regression as a result of: commit 916e4cf46d...

...1:40 htb rate 1000kbit ceil 55000kbit prio 3 quantum 60000 && \ /bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip u32 divisor 256 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0xff at 9 \ match u8 0x10 0xff at nexthdr+13 \ flowid 1:10 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0xff at 9 \ match u16 0x2711 0xffff at nexthdr+2 \ flowid 1:20 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0...

Hi all :)) Sorry for asking again, but got no answers and google doesn''t give useful information (seems like "nexthdr" doesn''t work right, but I don''t know why...). I really want to know what am I doing wrong... This filter matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000 flowid 1:22 and traffic goes to...

...$ sudo nft add rule ip test input ip protocol != icmp * We list the table test, and It shows this problem: $ sudo nft -nn list table ip test nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op == OP_EQ' failed. Also, we can reproduce it in the following cases: - ah with nexthdr: * We add the following rule, and It does not show any error. $ sudo nft add rule ip test input ah nexthdr != esp * We list the table test, It shows the following problem: $ sudo nft -nn list table ip test nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op == OP_EQ' fail...

...fall through */ + case IPPROTO_FRAGMENT: { + struct frag_hdr *hp = (void *)(skb->data + off); + + header_size = skb->network_header + + off + + sizeof(struct frag_hdr); + maybe_pull_tail(skb, header_size); + + if (ntohs(hp->frag_off) & 0xFFF9) + fragment = true; + + nexthdr = hp->nexthdr; + off += sizeof(struct frag_hdr); + break; + } default: done = true; break; -- 1.7.10.4

...ader, I am having difficulty getting the rest of the field. Mostly, it has to do with offsets and which uX to use. So, going off of what I think is correct, I have come up with this: tc filter add dev eth1 parent 2: protocol ip prio 10 u32 match ip protocol 6 match u32 0xff534d42 0xffffffff at nexthdr+23 flowid 2:50 I seriously doubt this is the proper way to match a Samba header. So my question is this. How do I identify where the offset is for a given header? I assume that (going off the LARTC How To) I can look at output from wireshark and simply count to the field I am after. (This is...

...+static inline void ipip_ecn_decapsulate(struct sk_buff *skb) +{ + struct iphdr *outer_iph = skb->nh.iph; + struct iphdr *inner_iph = skb->h.ipiph; + + if (INET_ECN_is_ce(outer_iph->tos)) + IP_ECN_set_ce(inner_iph); +} + static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq) { switch (nexthdr) { @@ -103,11 +113,11 @@ xfrm_vec[xfrm_nr++] = x; - if (x->mode->input(x, skb)) + if (x->mode->input(x, skb)) goto drop; - + if (x->props.mode) { - decaps = 1; +...

...htonl(id)); } EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +void ipv6_skb_set_fragid(struct sk_buff *skb, __be32 frag_id) +{ + skb_shinfo(skb)->ip6_frag_id = frag_id; + skb->ufo_fragid_set = 1; +} +EXPORT_SYMBOL_GPL(ipv6_skb_set_fragid); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index b6aa8ed..7cda88d 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, skb_shinfo(skb)->g...

...htonl(id)); } EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +void ipv6_skb_set_fragid(struct sk_buff *skb, __be32 frag_id) +{ + skb_shinfo(skb)->ip6_frag_id = frag_id; + skb->ufo_fragid_set = 1; +} +EXPORT_SYMBOL_GPL(ipv6_skb_set_fragid); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index b6aa8ed..7cda88d 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, skb_shinfo(skb)->g...

https://bugzilla.netfilter.org/show_bug.cgi?id=1371 Bug ID: 1371 Summary: Concatenations Literal sets Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter:

..._once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); + + id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr, + &rt->rt6i_src.addr); + fhdr->identification = htonl(id); +} +EXPORT_SYMBOL(ipv6_select_ident); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index b6aa8ed..a562769 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, skb_shinfo(skb)->g...

..._once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); + + id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr, + &rt->rt6i_src.addr); + fhdr->identification = htonl(id); +} +EXPORT_SYMBOL(ipv6_select_ident); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index b6aa8ed..a562769 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -52,6 +52,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, skb_shinfo(skb)->g...

...(iph->protocol == IPPROTO_TCP || @@ -137,6 +139,7 @@ struct ipv6hdr *iph = skb->nh.ipv6h; h = iph->daddr.s6_addr32[3]; hs = iph->saddr.s6_addr32[3]; + nfm = skb->nfmark; h2 = hs^iph->nexthdr; if (iph->nexthdr == IPPROTO_TCP || iph->nexthdr == IPPROTO_UDP || @@ -148,6 +151,7 @@ h = (u32)(unsigned long)skb->dst; hs = (u32)(unsigned long)skb->sk; h2 = hs^skb->protocol; + nfm =...

Hi, Here are two, small feature changes I would like to submit to increase the usefulness of the multicast snooping of the bridge code. The first patch is an unaltered one I had submitted before, but since it got no feedback I'm resubmitting it here for net-next. With the recently added patch to disable snooping if there is no querier (b00589af + 248ba8ec05 + 8d50af4fb), it should be a safe