similar to: u32 nexthdr problem

Hello, it seems, that filtering on nexthdr (TCP/UDP) content, especially src or dst port, is not working. The following has no effect on 2.4.16 or older (even 2.2) kernels: # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 Even if # tc filter ls dev eth0 parent ffff: filter protocol ip pref 50 u32 filter protocol

After carefull reading (LARTC) and experimentation, I am in a dead end... I am using several IPIP tunnels (linux ipip module, IP protocol 4). I''d like to filter packets going through these tunnes to different classes, on the ingress device, based on source and destination IP _INSIDE THE TUNNEL_. First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to the next header

Hi. Is there anyone who has understood of how u32 nexthdr addressing is supposed to work? (including the "tcp/icmp/.." matches who implicitly uses nexthdr) From reading the kernel code it apparently is using the location set by "offset at", but this seems to only be evaluated on hash parents, and only for it''s children.. I.e. the logic for u32 filter rule

I still think that nexthdr should be fixed, but I''d like to mention that iptables --protocol tcp can do pretty much the same thing. That is, tc filter add dev $1 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x16 at nexthdr+13 flowid 10:3 can be replaced by iptables -A PREROUTING -t mangle -p tcp --syn -j MARK --set-mark 2 tc filter add dev $1 protocol

Hi all, I''m experimenting with HTB and the prio parameter and it does not give me results I expect. I''ve created 4 HTB classes: 1:10 TCP ACKs (prio 0) 1:20 TCP traffic on dst port 10001 (prio 1) 1:30 TCP traffic on dst port 10000 (prio 2) 1:40 Default (prio 3) ceil and rate parameters are the same for all 4 classes (rate is

Ok, After much research and e-mails to the list, I''m finally to the point where I have filtering setup properly. Now, I''m trying to figure out tc filter so that I can classify packets on both eth0 and eth1. So, lets take for example Samba traffic. I want to be sure that its being sent with relative speed so that my shares don''t get lagged. And what the heck, its

There are several ways that VMs can take advantage of UFO and get the host to do fragmentation for them: drivers/net/macvtap.c: gso_type = SKB_GSO_UDP; drivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr =

There are several ways that VMs can take advantage of UFO and get the host to do fragmentation for them: drivers/net/macvtap.c: gso_type = SKB_GSO_UDP; drivers/net/tun.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; drivers/net/virtio_net.c: skb_shinfo(skb)->gso_type = SKB_GSO_UDP; Our implementation of UFO for IPv6 does: fptr =

I shape my upstream cable link with HTB from a script. My voip traffic (from the 192.168.0.14 host) gets priority over everything else to the near-starvation of other classes; the rest of the traffic is split up based on some priority rules (qos, empty ack packets, etc). eth1 is the uplink I''ve been using HTB and fw marking for the job until recently, when I changed the queue structure

The code to detect fragments in checksum_setup() was missing for IPv4 and too eager for IPv6. (It transpires that Windows seems to send IPv6 packets with a fragment header even if they are not a fragment - i.e. offset is zero, and M bit is not set). Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com>

Hi! I can''t find anywhere correct syntax how to match TTL. All of I found refuse to work :( tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 64 0xff at 8 flowid 1:11 tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 0x10 0xff at nexthdr+13 protocol tcp flowid 1:11 tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 0x10 0xff at nexthdr+13 flowid 1:11 All I need is to

https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Bug ID: 1140 Summary: nft dump invalid (flow table) Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

Dear Admins and Hackers, maybe i am to stupid to use ''tc''. But i having logical Problems to understand the Filter Rules in tc. Common Config: There is a Linux Engine (Debian) with a 2.6.11.11 Kernel which act as Packetshaper. Two Interfaces eth0 and eth1 are installed. Interface ''eth0'' is the Firewall Side Net 195.185.185.0/24. Interface

Hi all :)) Sorry for asking again, but got no answers and google doesn''t give useful information (seems like "nexthdr" doesn''t work right, but I don''t know why...). I really want to know what am I doing wrong... This filter matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000

https://bugzilla.netfilter.org/show_bug.cgi?id=946 Summary: Cannot invert a protocol: ip protocol != tcp Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org

It's half a nice Saturday later and many attempts have brought no satisfaction. Maybe this can't be done. I'm trying to write a function which, when called from one function execute in another. In itself, that's not the problem. Rather, there's one built-in variable which is evaluated in the function definition and it's value is then set (too early). Here's the one

I am trying to build a custom kernel for the HIPL code (infrahip.hip.fi), using the patch for the Linux 2.6.18 kernel. I followed all the instructions for getting the kernel source and making a custom kernel provided on the wiki. The rpmbuild fails with the following messages: Get an error on this step (figured out my other problem): Patch #40000

If the IPv6 fragment id has not been set and we perform fragmentation due to UFO, select a new fragment id. When we store the fragment id into skb_shinfo, set the bit in the skb so we can re-use the selected id. This preserves the behavior of UFO packets generated on the host and solves the issue of id generation for packet sockets and tap/macvtap devices. This patch moves ipv6_select_ident()

If the IPv6 fragment id has not been set and we perform fragmentation due to UFO, select a new fragment id. When we store the fragment id into skb_shinfo, set the bit in the skb so we can re-use the selected id. This preserves the behavior of UFO packets generated on the host and solves the issue of id generation for packet sockets and tap/macvtap devices. This patch moves ipv6_select_ident()

https://bugzilla.netfilter.org/show_bug.cgi?id=1371 Bug ID: 1371 Summary: Concatenations Literal sets Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: