similar to: u32 nexthdr -> iptables --protocol tcp

I''m having trouble with nexthdr. tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at nexthdr+13 flowid 10:3 fails to match my test packets whereas tc filter add dev eth0 protocol ip parent 10:0 prio 1 u32 \ match ip protocol 0x6 0xff match u8 0x02 0x12 at 33 flowid 10:3 does match them. Of course, the second one is really wrong

Hi. Is there anyone who has understood of how u32 nexthdr addressing is supposed to work? (including the "tcp/icmp/.." matches who implicitly uses nexthdr) From reading the kernel code it apparently is using the location set by "offset at", but this seems to only be evaluated on hash parents, and only for it''s children.. I.e. the logic for u32 filter rule

Hello, it seems, that filtering on nexthdr (TCP/UDP) content, especially src or dst port, is not working. The following has no effect on 2.4.16 or older (even 2.2) kernels: # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 Even if # tc filter ls dev eth0 parent ffff: filter protocol ip pref 50 u32 filter protocol

https://bugzilla.netfilter.org/show_bug.cgi?id=946 Summary: Cannot invert a protocol: ip protocol != tcp Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org

Hi all :)) Sorry for asking again, but got no answers and google doesn''t give useful information (seems like "nexthdr" doesn''t work right, but I don''t know why...). I really want to know what am I doing wrong... This filter matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000

After carefull reading (LARTC) and experimentation, I am in a dead end... I am using several IPIP tunnels (linux ipip module, IP protocol 4). I''d like to filter packets going through these tunnes to different classes, on the ingress device, based on source and destination IP _INSIDE THE TUNNEL_. First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to the next header

Hello all, I am trying to make a filter into my QoS rules and I founded that when I try to use filters u32 and with fwmark they do not work together. This is the filter I use, just and example, for u32: $TC filter add dev $DL parent 1:0 protocol ip prio 1 u32 match ip sport 22 0xffff flowid 1:10 This is working fine. Now if I try to mark a package that I want it to go to the same

Hi all, I''m experimenting with HTB and the prio parameter and it does not give me results I expect. I''ve created 4 HTB classes: 1:10 TCP ACKs (prio 0) 1:20 TCP traffic on dst port 10001 (prio 1) 1:30 TCP traffic on dst port 10000 (prio 2) 1:40 Default (prio 3) ceil and rate parameters are the same for all 4 classes (rate is

Hi all :)) This matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000 flowid 1:22 and traffic goes to 1:22, but this one doesn''t match: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match tcp src 0x3000 0xf000 flowid 1:22 I don''t understand why the first one matches and the

Hello...I have a Slackware based machine doing routing & QoS for my internal LAN users... It has two interfaces: eth1(100mbps) that connects to the aDSL modem(USR 9105) and eth0(100mbps) that connects to my local LAN... I''am using shorewall as a firewall...i think it''s configured well as it''s working as i want and i pass all the online firewall tests... :D All lan

I shape my upstream cable link with HTB from a script. My voip traffic (from the 192.168.0.14 host) gets priority over everything else to the near-starvation of other classes; the rest of the traffic is split up based on some priority rules (qos, empty ack packets, etc). eth1 is the uplink I''ve been using HTB and fw marking for the job until recently, when I changed the queue structure

Hello all, As I have promised I am sending my QoS rules. This now works fine with u32 classifier (and parent 1:0 that I could not understand why it did not worked well before). Att, Nataniel Klug ------------------------ #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables"

Ok, After much research and e-mails to the list, I''m finally to the point where I have filtering setup properly. Now, I''m trying to figure out tc filter so that I can classify packets on both eth0 and eth1. So, lets take for example Samba traffic. I want to be sure that its being sent with relative speed so that my shares don''t get lagged. And what the heck, its

Hi! I can''t find anywhere correct syntax how to match TTL. All of I found refuse to work :( tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 64 0xff at 8 flowid 1:11 tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 0x10 0xff at nexthdr+13 protocol tcp flowid 1:11 tc filter add dev eth1 parent 1:0 prio 10 u32 match u8 0x10 0xff at nexthdr+13 flowid 1:11 All I need is to

Hi folks, I have a strange situation. When I add branches to the tree, everything goes to the default class. The error might be obvious, but I cannot find it. I would really appreciate your help. this works, nothing goes to "1:9999": ############################################################################# /sbin/iptables -F -t mangle /sbin/tc qdisc del dev eth1 root >

hi all At last i got sucess !.. but am confused y it didnt work earlier..the difference today was that i reinstalled RH7.2 & complied kernel 2.4.16(not 17).. rest was same..... & the bandwidth too is under control!.. is it normal for to get more than said bandwidth--i mean i restricted a network with 8Kbit(with same script as below) but still was able to get a download(ftp) of

I copied and tried to adapt to my necessities the excellent script of Pedro Larroy, but I am inexperienced in QoS and I have doubts. I have cablemodem to Internet 1024kbit down and 256kbit up, through eth0. The LAN has eth1 and NAT. I formed the band so that shaping goes by the eth1 (of the LAN) with bandwidth maximum CEIL=768. But I observe that the traffic sometimes accelerates and other

Dear Admins and Hackers, maybe i am to stupid to use ''tc''. But i having logical Problems to understand the Filter Rules in tc. Common Config: There is a Linux Engine (Debian) with a 2.6.11.11 Kernel which act as Packetshaper. Two Interfaces eth0 and eth1 are installed. Interface ''eth0'' is the Firewall Side Net 195.185.185.0/24. Interface

Hello. I have been trying to duplicate these u32 matching rules using TCNG, but without much success: tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32\ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 Wondershaper 1.1a implements this and if I run it things seem to be shaped as expected. But this TCNG

Hi guys I have a config as follows for one of my networks. I want to give the xxx.xxx.xxx.xxx/xx network 64kbit for everything from the internet but 8000kbit from our internal servers on yyy.yyy.yyy.yyy/yy network. It does not work. I only want to use u32 filters. I think what's happening is the first flowid of 1:21 is catching them and not getting to the 1:40 flowid. Is this right? The box