similar to: u32 filter for payload

Hi all, After reading a lot and searching on the INternet, I want to filter ASP and/or AH traffic According to /etc/protocols ESP and AH are IP protos 50 and 51 so this u32 filter should work ? (I can use fw filter because the firewall/VPN can''t mark pakets :-( tc filter add dev ethX parent X:0 protocol ip prio X u32 match ip protocol 50 0xff flowid X:XX ? Can someone confirm this ?

I want to limit each user in my network to have limited bandwidth (let''s say 256/128 kbit). I use NAT (done with iptables). Can I limit users on the outgoing interface using u32 using rules like: tc filter add dev eth0 parent 1: protocol ip prio 17 u32 match ip src 10.10.10.10 flowid 1:10 It seem I made a mistake somewhere or NAT is done before routing and I must use iptables

Hello! What is the significance of "handle" in a u32 filter?? For example, if I have a HTB class 1:1 and three child classes 1:11, 1:12, and 1:13. Within 1:11, I define dsmark, say 2:0, and let it mark packets with certain DSCP. Now, using the u32 filter I need to classify packets of a certain flow (e.g., based on src ip address and dest port), then can someone give me an example of

Hi, I am trying to understand filters. 1) Under the U32 section of the lartc howto there is an example (to match ACKs on packets smaller than 64 bytes): # tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:3 The howto says ''the filter above

Hi, I am trying to put together a hashing filter based on example provided in LARTC how-to document. I want to link two hashing filters together where first one will use 3rd octet of an IP address as hashkey and second one will use 4th octet as hash key. How do I tell mask the address so that u32 filter uses 3rd octet as hashkey? Venkatesh K _______________________________________________

iproute2 distribution in README.iproute2+tc includes toward the end an example of usage of syntax ''offset mask'' as follows: # Lookup hash table, if it is not fragmented frame # Use protocol as hash key $TC filter add dev eth1 parent 1:0 prio 5 handle ::1 u32 ht 800:: \ match ip nofrag \ offset mask 0x0F00 shift 6 \ hashkey mask 0x00ff0000 at 8 \ link 1: Also, identical

Hi, how can I filter IPsec traffic with u32 filters? I know IPsec needs Port 500/UDP and IP protocols 50 and 51. I know how to get the port stuff, but how can I make u32 to match the protocol number? thx, cb _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

hello... 1. Is it possible using u32 to filter marked packets? I have found only documents to fw filter to filter marked packets... 2. If u32 cannot filter marked packets is it possible to use fw and u32 together? I wanted to filter packets marked by iptables by fw, and packets depended on ip destination, src and others by u32, but something goes wrong :( the filters configuration is: $TC

I want to use a filter to shape outbound traffic (upload from the client side) in eth0. Manually I should do this by doing something like this: tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.0.50 classid 1:59 How can I do this with HTB.init? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl

Hi! I really need help with a u32 filter that won''t match what I think I''m telling it to. The situation is that I have set up an internal computer to change the TOS value of packets sent by certain processes to 0x1E (If anyone known of a better way to mark packets, please tell me. I would love to find some module that adds an IP option with UIDs and GIDs to the packets - does

Hello, I''m having some trouble with the u32 port match and that is when specifying a mask. tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 27015 0xffff flowid 2:4 Using 27015 0xffff works just fine, all packets to dport 27015 go to 2:4 tc filter add prio 1 dev ppp2 parent 2:0 protocol ip u32 match ip dst

why if I place a fw filter on root I cant place the u32 filter with the same prio. filter add ... parent root prio 1 fw ... filter add ... parent root prio 1 u32 ... <-gives error, but filter add ... parent root prio 2 u32 .x.x.x.1. filter add ... parent root prio 2 u32 x.x.x.1 no problem with this... I know that the priorities tells the order at which to check them(is the order

I''m hashing on a non-octet boundary, and it doesn''t seem to be working. I''ve got this set of filters, that does work: # root tc filter add dev eth1 \ parent 1: protocol ip prio 2 \ u32 # ht tc filter add dev eth1 \ parent 1: protocol ip prio 2 \ handle 2: \ u32 divisor 256 # flow tc filter replace dev eth1 \

Hello All, I''ve been trying to figure out how to do bandwidth limiting by mac address. There are several posts on this subject, but nothing concrete. My question concerns the proper tc filter syntax to do a u32 match at a negative offset of -8 that should based on what I''ve read be the source mac address. I''ve been plating around with it, but no success yet. Any

hi I would like to ask is the following config correct for what I want to achieve ... Scenario: I have 3 networks 192.168.12.0/24, 192.168.48.0/24, 192.168.56.0/24 and most of the users use 1 IP, some of them more... If I make flat u32-filter search the box will make aprox/max 3 * 256 = 768 checks for every IP, so i''m deciding to deploy u32 hashes.. Here is the config I think to use

Hello lartc, Q1: If I want select subhet, I wrote ...u32 match ip dst a.d.r.es/net police ... How I can say "all except z.x.y" ? Both src/dest addr/port - I foundn''t this info in HOWTO :((( Q2: Why I can''t (or not allowed) to create more then one class into !ingress! queue? I know, it''s incoming trafic? but why? it''s look simply: (yes, i may be

Hi all... How do i set U32 to filter a port range, instead of a single port? In normal use: source port 80 we use: "... match ip sport 80 0xffff ..." - I know that is something about the 0xffff parameter.... I need to filter ports 1 ~ 1024 to a higher priority class... i tried with IPTABLES MARK and TC FW, but it''s not working.... (...) # iptables -t mangle -A PREROUTING -p

Dear all, i have a query about the related subject. As per stated, i have created the filter rules using handle selector for packet shaping purpose of ssh , www, etc. its working nicely.Again i want to this rule to work as global for the two different network. If i was not wrong , i have created the rules as tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src

Hello all, I am having some trouble getting a firewall filter to work with TC. I am actually setting the mark via EBTables (which is working as far as I can tell, I am also logging the packet and my syslog reports lots of marks): ebtables -t broute -A BROUTING -p ipv4 -i eth1 -s 08:00:46:60:B3:57 -j mark --set-mark 7 --mark-target CONTINUE --log --log-level debug --log-prefix "EBFW Mark

Is it possible to create 1 filter rule using fw selectors AND u32 selectors? Richard. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | |