From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Yury Stankevich <urykhy@gmail.com>,
shemonc@gmail.com,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org
Subject: Re: tc ipt action
Date: Sun, 16 Dec 2012 01:27:55 +0100 [thread overview]
Message-ID: <20121216002755.GA11773@1984> (raw)
In-Reply-To: <50CCE961.5050204@mojatatu.com>
Hi Jamal!
On Sat, Dec 15, 2012 at 04:19:29PM -0500, Jamal Hadi Salim wrote:
> Yury,
>
> I took a brief look and run some quick tests on ubuntu 12.04. I am going
> to be lazy and try and involve the netfilter folks.
> It seems that if you left out the args to CONNMARK (includes other
> targets like MARK etc) you will succeed - but you get default
> values.
>
>
> Example, the following should work for
> tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0
> action ipt -j CONNMARK \
> action mirred egress redirect dev ifb0
>
> Here is what the output looks like when you dont pass the parameters.
>
> -------
> j@ubuntu:~$ sudo tc filter show dev eth0 parent ffff:
> filter protocol ip pref 1 u32
> filter protocol ip pref 1 u32 fh 800: ht divisor 1
> filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt
> 0 flowid 1:15
> match 0a000015/ffffffff at 12
> action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
> target MARK and 0xffffffff
> index 2 ref 1 bind 1
>
> filter protocol ip pref 49149 u32
> filter protocol ip pref 49149 u32 fh 804: ht divisor 1
> filter protocol ip pref 49149 u32 fh 804::800 order 2048 key ht 804
> bkt 0 flowid 1:12
> match 00000000/00000000 at 0
> action order 33: tablename: mangle hook: NF_IP_PRE_ROUTING
> target CONNMARK and 0x0
> index 123 ref 1 bind 1
> ----------------
>
> Pablo, Hasan Chowdhury tells me this broke after iptable 1.4.10
> Hasan also sent me a small patch to fake "xt" instead of "ipt" - but
> i think there's more than meets the eye here; some interface we are
> using to talk to xtables on user space seems to have changed.
The binary interface was broken in 1.4.11 with the guided option
parser:
commit 7299fa4b615d7f7ee12cde444266f6b31f667f9f
Author: Jan Engelhardt <jengelh@medozas.de>
Date: Sun Mar 6 15:54:58 2011 +0100
libxt_CONNMARK: use guided option parser
You need a patch to use the new interface to stay in sync with current
iptables libraries. I'll make it for tc and send it to you.
BTW, I think it would be good if we find the way to check for
libxtables current version (see iptables/configure.ac), so you can
know that we broke binary compatibility again.
Cheers,
Pablo
next prev parent reply other threads:[~2012-12-16 0:27 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <50C4821D.5090206@gmail.com>
[not found] ` <50C9B4BB.9060609@mojatatu.com>
2012-12-15 21:19 ` tc ipt action Jamal Hadi Salim
2012-12-15 23:06 ` Jan Engelhardt
2012-12-16 0:26 ` Jan Engelhardt
2012-12-16 0:32 ` [PATCH] build: unbreak linkage of m_xt.so Jan Engelhardt
2012-12-16 10:30 ` Jamal Hadi Salim
2012-12-16 17:03 ` Jamal Hadi Salim
2012-12-16 17:43 ` Jan Engelhardt
2012-12-16 18:05 ` Jamal Hadi Salim
2012-12-16 22:02 ` Mike Frysinger
2012-12-18 17:21 ` Stephen Hemminger
2012-12-18 18:47 ` Mike Frysinger
2012-12-20 0:03 ` Stephen Hemminger
2012-12-16 10:22 ` tc ipt action Jamal Hadi Salim
[not found] ` <CAASe=fQT2pVOK0uctdaKL+aOrF8nYeTMfoF15kmd-rC02+7Vnw@mail.gmail.com>
2012-12-16 16:48 ` Jamal Hadi Salim
2012-12-16 18:59 ` Jamal Hadi Salim
2012-12-16 19:13 ` Jan Engelhardt
2012-12-16 20:36 ` Jamal Hadi Salim
2012-12-16 20:41 ` [PATCH] iproute2: act_ipt fix xtables breakage Jamal Hadi Salim
2012-12-17 12:30 ` RFC [PATCH] iproute2: temporary solution to fix xt breakage Jamal Hadi Salim
2012-12-17 16:12 ` Stephen Hemminger
2012-12-19 11:36 ` Jamal Hadi Salim
[not found] ` <CAASe=fRuJdtisEvp7uo=PHwN3nKHqsYDW4Om1gk2MK-vyNvBrA@mail.gmail.com>
2012-12-18 12:28 ` Jamal Hadi Salim
[not found] ` <CAASe=fR6Hm2dxp=1wDchtrzqnaH6qacHpg2wrsqLfmGpPbQ9Fg@mail.gmail.com>
2012-12-19 11:44 ` Jamal Hadi Salim
2012-12-19 11:56 ` [PATCH] pkt_sched: act_xt support new Xtables interface Jamal Hadi Salim
2012-12-19 15:52 ` Jan Engelhardt
2012-12-19 23:05 ` Jamal Hadi Salim
[not found] ` <CAASe=fQZGwjM_2PStRE0tje33Doi6TuwJJ3p7x-SRcwq3mQvRg@mail.gmail.com>
2012-12-19 23:00 ` Jamal Hadi Salim
2012-12-20 8:54 ` Yury Stankevich
2012-12-20 12:35 ` Jamal Hadi Salim
2012-12-20 14:59 ` Yury Stankevich
2012-12-21 13:03 ` Jamal Hadi Salim
2012-12-21 13:13 ` Yury Stankevich
2012-12-21 13:50 ` Jamal Hadi Salim
2012-12-21 14:14 ` Yury Stankevich
2012-12-22 13:19 ` Jamal Hadi Salim
2012-12-22 13:43 ` Jan Engelhardt
2012-12-22 13:56 ` Jamal Hadi Salim
2012-12-22 13:58 ` Yury Stankevich
2012-12-22 14:04 ` Florian Westphal
2012-12-22 14:09 ` Jamal Hadi Salim
2012-12-24 11:34 ` Jamal Hadi Salim
2012-12-24 11:49 ` Felix Fietkau
2012-12-24 12:19 ` Jamal Hadi Salim
2012-12-24 13:12 ` Pablo Neira Ayuso
2012-12-24 14:05 ` Jamal Hadi Salim
2012-12-24 18:19 ` Pablo Neira Ayuso
2012-12-26 23:10 ` Pablo Neira Ayuso
2012-12-21 14:35 ` Jan Engelhardt
2012-12-21 15:45 ` Eric Dumazet
2012-12-22 13:42 ` Jamal Hadi Salim
2012-12-16 0:27 ` Pablo Neira Ayuso [this message]
2012-12-16 0:59 ` tc ipt action Jan Engelhardt
2012-12-16 10:43 ` Jamal Hadi Salim
2012-12-16 17:21 ` Jan Engelhardt
2012-12-16 17:47 ` Jamal Hadi Salim
2012-12-16 18:59 ` Jan Engelhardt
2012-12-16 20:35 ` Jamal Hadi Salim
2012-12-16 21:21 ` Jan Engelhardt
2012-12-17 12:58 ` Jamal Hadi Salim
2012-12-17 13:28 ` Jan Engelhardt
2012-12-18 13:23 ` Jamal Hadi Salim
2012-12-18 13:58 ` Jan Engelhardt
2012-12-19 11:43 ` Jamal Hadi Salim
2012-12-16 10:26 ` Jamal Hadi Salim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121216002755.GA11773@1984 \
--to=pablo@netfilter.org \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=shemonc@gmail.com \
--cc=urykhy@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.