similar to: ipip and nexthdr

I''m having trouble with nexthdr. tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at nexthdr+13 flowid 10:3 fails to match my test packets whereas tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at 33 flowid 10:3 does match them. Of course, the second one is really wrong

Hello, it seems, that filtering on nexthdr (TCP/UDP) content, especially src or dst port, is not working. The following has no effect on 2.4.16 or older (even 2.2) kernels: # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 Even if # tc filter ls dev eth0 parent ffff: filter protocol ip pref 50 u32 filter protocol

Hi. Is there anyone who has understood of how u32 nexthdr addressing is supposed to work? (including the "tcp/icmp/.." matches who implicitly uses nexthdr) From reading the kernel code it apparently is using the location set by "offset at", but this seems to only be evaluated on hash parents, and only for it''s children.. I.e. the logic for u32 filter rule

I still think that nexthdr should be fixed, but I''d like to mention that iptables --protocol tcp can do pretty much the same thing. That is, tc filter add dev $1 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x16 at nexthdr+13 flowid 10:3 can be replaced by iptables -A PREROUTING -t mangle -p tcp --syn -j MARK --set-mark 2 tc filter add dev $1 protocol

There are several ways that VMs can take advantage of UFO and get the host to do fragmentation for them: drivers/net/macvtap.c: gso_type = SKB_GSO_UDP; drivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr =

There are several ways that VMs can take advantage of UFO and get the host to do fragmentation for them: drivers/net/macvtap.c: gso_type = SKB_GSO_UDP; drivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr =

Hi everyone, I am having problems with "oopses" since I introduced HTB on my company''s PC-based routers. It seems that only routers with high network load are affected. The average network load on the two most problematic routers are 10Mbps in/out and 2.5Mbps in/out. The other machines with less than 1Mbps average traffic seems unaffected. We have been getting oopses on

Hi all, I''m experimenting with HTB and the prio parameter and it does not give me results I expect. I''ve created 4 HTB classes: 1:10 TCP ACKs (prio 0) 1:20 TCP traffic on dst port 10001 (prio 1) 1:30 TCP traffic on dst port 10000 (prio 2) 1:40 Default (prio 3) ceil and rate parameters are the same for all 4 classes (rate is

Hi all, I''m looking for the best way to set up a Linux router with "tc" to limit the incoming bandwidth my ISP''s clients use. Please assist me with the following: Diagram: INTERNET | | | |eth0 ----------- Linux router/shaper |eth1 | | | --------------- Clients1(64k)/2(128k)/3(64k)/... Clients normally purchase bandwidth in bundles of

The code to detect fragments in checksum_setup() was missing for IPv4 and too eager for IPv6. (It transpires that Windows seems to send IPv6 packets with a fragment header even if they are not a fragment - i.e. offset is zero, and M bit is not set). Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com>

Hi! Is there any way to do just plain vanilla TBF (Token Buck Filter) type shaping on a group of ips/networks, not an entire interface. Currently the only way I know how to shape in Linux is to use HTB or CBQ, but both of these need a total rate and then you need to subdivide that into classes. That is not what I want. All I want is Cisco generic traffic shaping style shaping (or similar to how

Ok, After much research and e-mails to the list, I''m finally to the point where I have filtering setup properly. Now, I''m trying to figure out tc filter so that I can classify packets on both eth0 and eth1. So, lets take for example Samba traffic. I want to be sure that its being sent with relative speed so that my shares don''t get lagged. And what the heck, its

Hi, Does anyone tried to get ipip or gre tunnel behind NAT environments. ? i''m trying to make both side tunneling with ipip or gre with private address just like belows.. A -------------------FIRWWAL -------------------INET ------------------- B PRIVATE PUBLIC PUBLIC (10.100.0.1) (211.xxx.xxx.xxx) (

Hi guys, I''m trying to setup an IPIP tunnel between a Cisco router and a firewall running Debian GNU/Linux Sarge with Shorewall 2.0.13. I''ve read and implemented the http://shorewall.net/IPIP.htm document, but I don''t understand why there should be at the same time a "tunnel" and a "tunnels" script. Shorewall still refuses to let the

Hi, I''ve a gateway host (cali), connected to the Internet via ADSL and a PPTP tunnel (ppp0). I also have a IPIP tunnel to another host over the Internet (mytun), nothing fancy. This is working perfectly. But I want to give more priority to the IPIP packets coming OUT of the PPP (PPTP connection) interface. And I can''t get this to work. Class 2:21 is the one with high

I was trying the following setup with IPIP tunnels, one that used to work through another ISP, but no longer... Internal network | Linux box 1 (kernel 2.2.24) iif=10.0.0.1, extf=a.b.c.d, tunf=172.16.0.1 | |local metropolitan network | Another Linux box 2 (kernel 2.2.17, or 2.4.19, same result) iif=irrelevant, extf=x.y.z.v,

https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Bug ID: 1140 Summary: nft dump invalid (flow table) Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com Status|ASSIGNED |RESOLVED Resolution|

Hello, Looking here http://lartc.org/howto/lartc.tunnel.ip-ip.html It says to load a new_tunnel.o module. There is no such module on 2.6.9, so where would I find up-to-date documentation on ip tunnels in the Linux kernel? Thanks, Mike -- Michael P. Soulier <michael_soulier@mitel.com>, 613-592-2122 x2522 "Any intelligent fool can make things bigger and more complex... It takes a

Hello Gurus, I am a small problem with routing and here are the details. Interfaces on my server: * ipsec0 - 172.19.58.94 * tunl0 - 172.19.58.94 * eth0 - 172.19.58.94 Now, the problem is that there is another host 172.19.58.200. All communication to 172.19.58.200 should be through tunl0, and all the data should be secured using IPSec (tunnel mode - because there are more machines on my