[LARTC] traffic shaping vpn (GRE) traffic

[LARTC] traffic shaping vpn (GRE) traffic

[syncmaster4]

[-- Attachment #1.1: Type: text/plain, Size: 610 bytes --]

Looking for some advise from the experts out there.

We do simple traffice shaping and I'm having trouble figuring out how to
shape vpn traffic using a tc filter.

The following filter works fine for SSH
tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 0xffff
classid 1:10

The following throws and "Illegal match" error when trying to filter GRE
traffic.
tc filter add dev eth2 parent 1:0 protocol ip u32 \
        match ip protocol 47 0xff \
        match ip u16 0x10 00ff at 24 \
        classid 1:10

Any pointers are greatly appreciated!

CentOS 4.4 - 2.6.9-42.0.3.ELsmp

Thanks!
Craig

[-- Attachment #1.2: Type: text/html, Size: 785 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] traffic shaping vpn (GRE) traffic

[Nikolay Kichukov]

Hello syncmaster4,
I am not much of an routing expert myself, but if you are getting the 
Illegal match error message, try looking in the command syntax or the 
kernel config to check if you compiled all the necessary modules for the 
command you are using.

Have you got support for protocol 47? Just guessing here.

-Nik

syncmaster4 wrote:
> Looking for some advise from the experts out there.
> 
> We do simple traffice shaping and I'm having trouble figuring out how to 
> shape vpn traffic using a tc filter.
> 
> The following filter works fine for SSH
> tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 
> 0xffff classid 1:10
> 
> The following throws and "Illegal match" error when trying to filter GRE 
> traffic.
> tc filter add dev eth2 parent 1:0 protocol ip u32 \
>         match ip protocol 47 0xff \
>         match ip u16 0x10 00ff at 24 \
>         classid 1:10
> 
> Any pointers are greatly appreciated!
> 
> CentOS 4.4 - 2.6.9-42.0.3.ELsmp
> 
> Thanks!
> Craig
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] traffic shaping vpn (GRE) traffic

[Nikolay Kichukov]

Hello Craig,
Is it linux flavour specific kernel you are using? I guess there might 
be no tc support for the kind of match you are tring to do, but iptables 
support included. Those I presume might be different kernel options.

In the first place, if anyone can say if the syntax of the following 
command is okay would be best choice:

tc filter add dev eth2 parent 1:0 protocol ip u32 \
         match ip protocol 47 0xff \
         match ip u16 0x10 00ff at 24 \
         classid 1:10

I am also CCing the LARTC list hoping anyone with more experience will 
know the answer.

-Nik

syncmaster4 wrote:
> Hi Nikolay,
> 
> I am using the standard kernel but we are able to successully allow GRE
> traffic through IPTABLES running on this same computer.  So I am 
> assuming we
> do have support for GRE since we are able to successfully NAT it.
> 
> I am far from a kernel/iptables/tc expert so maybe my assumption is
> completely wrong...
> 
> Thanks!
> Craig
> 
> 
> On 12/11/06, Nikolay Kichukov <hijacker@oldum.net> wrote:
>>
>> Hello syncmaster4,
>> I am not much of an routing expert myself, but if you are getting the
>> Illegal match error message, try looking in the command syntax or the
>> kernel config to check if you compiled all the necessary modules for the
>> command you are using.
>>
>> Have you got support for protocol 47? Just guessing here.
>>
>> -Nik
>>
>> syncmaster4 wrote:
>> > Looking for some advise from the experts out there.
>> >
>> > We do simple traffice shaping and I'm having trouble figuring out 
>> how to
>> > shape vpn traffic using a tc filter.
>> >
>> > The following filter works fine for SSH
>> > tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22
>> > 0xffff classid 1:10
>> >
>> > The following throws and "Illegal match" error when trying to filter 
>> GRE
>> > traffic.
>> > tc filter add dev eth2 parent 1:0 protocol ip u32 \
>> >         match ip protocol 47 0xff \
>> >         match ip u16 0x10 00ff at 24 \
>> >         classid 1:10
>> >
>> > Any pointers are greatly appreciated!
>> >
>> > CentOS 4.4 - 2.6.9-42.0.3.ELsmp
>> >
>> > Thanks!
>> > Craig
>> >
>> >
>> > 
>> ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC@mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
> 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] traffic shaping vpn (GRE) traffic

[Andy Furniss]

syncmaster4 wrote:
> Looking for some advise from the experts out there.
> 
> We do simple traffice shaping and I'm having trouble figuring out how to
> shape vpn traffic using a tc filter.
> 
> The following filter works fine for SSH
> tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 0xffff
> classid 1:10
> 
> The following throws and "Illegal match" error when trying to filter GRE
> traffic.
> tc filter add dev eth2 parent 1:0 protocol ip u32 \
>        match ip protocol 47 0xff \
>        match ip u16 0x10 00ff at 24 \
>        classid 1:10
> 
> Any pointers are greatly appreciated!

You don't need the ip in match ip u16.

Possibly also put 0x before 00ff and I am not sure what that will 
actually match.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc