similar to: U32 Matches help!

Would anyone care to give me an example of how I would go about matching TCP Sequence numbers, TCP ACK numbers and window sizes, ttl, and ip id in a u32 filter? (or if there is a better way of doing this)... Thanks! Paul _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello Thilo, What did you find superior with CBQ-wondershaper over HTB-wondershaper? We have not been using wondershaper specifically but our simple tests so far seem to show that htb is much easier to configure for a given target shape (i.,e accurate) compared to CBQ. Torsten -----Original Message----- From: Thilo Schulz [mailto:arny@ats.s.bawue.de] Sent: Saturday, June 14, 2003 8:55 AM To:

Hi, what is needed to activate ingress policies for enterprise server 9! My current loaded modules: in the attachments my kernel: Linux linux 2.6.5-7.97-smp #1 SMP Fri Jul 2 14:21:59 UTC 2004 i686 i686 i386 GNU/Linux So you can see the module sch_ingress is loaded and also the package iprout2 is installed. I have set also a filter for ingress policies but i don`t think it is working,

Hello, I''m having some trouble with the u32 port match and that is when specifying a mask. tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 27015 0xffff flowid 2:4 Using 27015 0xffff works just fine, all packets to dport 27015 go to 2:4 tc filter add prio 1 dev ppp2 parent 2:0 protocol ip u32 match ip dst

Hello All, I''ve been trying to figure out how to do bandwidth limiting by mac address. There are several posts on this subject, but nothing concrete. My question concerns the proper tc filter syntax to do a u32 match at a negative offset of -8 that should based on what I''ve read be the source mac address. I''ve been plating around with it, but no success yet. Any

Hi, I am trying to understand filters. 1) Under the U32 section of the lartc howto there is an example (to match ACKs on packets smaller than 64 bytes): # tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:3 The howto says ''the filter above

hello... 1. Is it possible using u32 to filter marked packets? I have found only documents to fw filter to filter marked packets... 2. If u32 cannot filter marked packets is it possible to use fw and u32 together? I wanted to filter packets marked by iptables by fw, and packets depended on ip destination, src and others by u32, but something goes wrong :( the filters configuration is: $TC

Hello lartc, Testing some rules I found out that any rules are slowing down large pings! For example: tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 100Mbit prio 1 ceil 100Mbit tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100Mbit prio 2 ceil 100Mbit tc filter add dev eth0 parent 1:0 prio 5 u32 \ match ip src 10.10.10.1 \ match ip

Hello, I am trying to use tc to drop packets based on the ip identification field in the ip header, I am trying to drop incomming packets with the ip identification field egual with 15: tc qdisc del dev eth0 ingress tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip protocol 6 0xff flowid 1:1 match u16 0x000f 0xffff at 4 action drop tc

Hi all, Is is possible to configure the u32 classifier to match on VLAN ID? Or any other bits in the 802.1 header for that matter? If so, can anybody tell me how? Or where to find out how? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au

Hi all, After reading a lot and searching on the INternet, I want to filter ASP and/or AH traffic According to /etc/protocols ESP and AH are IP protos 50 and 51 so this u32 filter should work ? (I can use fw filter because the firewall/VPN can''t mark pakets :-( tc filter add dev ethX parent X:0 protocol ip prio X u32 match ip protocol 50 0xff flowid X:XX ? Can someone confirm this ?

I want to limit each user in my network to have limited bandwidth (let''s say 256/128 kbit). I use NAT (done with iptables). Can I limit users on the outgoing interface using u32 using rules like: tc filter add dev eth0 parent 1: protocol ip prio 17 u32 match ip src 10.10.10.10 flowid 1:10 It seem I made a mistake somewhere or NAT is done before routing and I must use iptables

Hi, how can I filter IPsec traffic with u32 filters? I know IPsec needs Port 500/UDP and IP protocols 50 and 51. I know how to get the port stuff, but how can I make u32 to match the protocol number? thx, cb _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello! What is the significance of "handle" in a u32 filter?? For example, if I have a HTB class 1:1 and three child classes 1:11, 1:12, and 1:13. Within 1:11, I define dsmark, say 2:0, and let it mark packets with certain DSCP. Now, using the u32 filter I need to classify packets of a certain flow (e.g., based on src ip address and dest port), then can someone give me an example of

why if I place a fw filter on root I cant place the u32 filter with the same prio. filter add ... parent root prio 1 fw ... filter add ... parent root prio 1 u32 ... <-gives error, but filter add ... parent root prio 2 u32 .x.x.x.1. filter add ... parent root prio 2 u32 x.x.x.1 no problem with this... I know that the priorities tells the order at which to check them(is the order

Hello, 1. I currently have a 128kbps cable link to the internet..and I''m sharing this connection with others. I''ve made the following script(for alocating bandwidth depending on the services used: browsing, squid, games like counter-strike, icmp, ssh), which unfortunately isn''t working very well as the response times I''m getting upon pinging the server

I''m hashing on a non-octet boundary, and it doesn''t seem to be working. I''ve got this set of filters, that does work: # root tc filter add dev eth1 \ parent 1: protocol ip prio 2 \ u32 # ht tc filter add dev eth1 \ parent 1: protocol ip prio 2 \ handle 2: \ u32 divisor 256 # flow tc filter replace dev eth1 \

Hi, I am trying to put together a hashing filter based on example provided in LARTC how-to document. I want to link two hashing filters together where first one will use 3rd octet of an IP address as hashkey and second one will use 4th octet as hash key. How do I tell mask the address so that u32 filter uses 3rd octet as hashkey? Venkatesh K _______________________________________________

hi I would like to ask is the following config correct for what I want to achieve ... Scenario: I have 3 networks 192.168.12.0/24, 192.168.48.0/24, 192.168.56.0/24 and most of the users use 1 IP, some of them more... If I make flat u32-filter search the box will make aprox/max 3 * 256 = 768 checks for every IP, so i''m deciding to deploy u32 hashes.. Here is the config I think to use

Hello lartc, Q1: If I want select subhet, I wrote ...u32 match ip dst a.d.r.es/net police ... How I can say "all except z.x.y" ? Both src/dest addr/port - I foundn''t this info in HOWTO :((( Q2: Why I can''t (or not allowed) to create more then one class into !ingress! queue? I know, it''s incoming trafic? but why? it''s look simply: (yes, i may be