[LARTC] tc u32 match !port

[LARTC] tc u32 match !port

[Salatiel Filho]

How can i redirect all traffic that not come from port 80 to a flow ?

i was thing about some like

tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport
!80 ......

But this not work.

Another doubt, if i have two rules that intersects , for example ,
one filter with u32 match ip src 10.10.10.10 flowid 1:10
and other with u32 match sport 80 0xffff flowid 1:11 , which one will
work in case of a packet to 10.10.10.10 with sport 80 ???

[]'s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
   diante de um  idiota que banca o inteligente".
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Alejandro Ramos Encinosa]

On Wednesday 02 May 2007 10:36, Salatiel Filho wrote:
> How can i redirect all traffic that not come from port 80 to a flow ?
>
> i was thing about some like
>
> tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport
> !80 ......
Maybe you should try with iptables/tc solution:
iptables -t <table> -A <chain> -p tcp --sport ! 80 0xffff -j MARK --set-mark 5
tc filter add dev imq1 parent 1: handle 5 fw flowid ...

>
> But this not work.
>
> Another doubt, if i have two rules that intersects , for example ,
> one filter with u32 match ip src 10.10.10.10 flowid 1:10
> and other with u32 match sport 80 0xffff flowid 1:11 , which one will
> work in case of a packet to 10.10.10.10 with sport 80 ???
From all filters in the current tc node, those with current priority, will 
match in the same order you declare them. Maybe you want to do something 
like:
     |-------------|
     | 10.10.10.10 |
     |-------------|
       /         \
      /           \
|---------|  |----------|
| default |  | sport 80 |
|---------|  |----------|
then you will have the traffic from 10.10.10.10 going to the subtree root, and 
the traffic that also has port 80 as source, will go to the right child of 
the tree. Maybe the rules will like as the following:

iptables -t mangle -A PREROUTING -s 10.10.10.10 -j MARK --set-mark 4
...
// parent (node 10.10.10.10 on *figure*)
tc class add dev imq1 parent 1:1 classid 1:10 htb rate ...
// "default" node 
tc class add dev imq1 parent 1:10 classid 1:11 htb rate ...
// "sport 80" node
tc class add dev imq1 parent 1:10 classid 1:12 htb rate ...
...
// filter to match the traffic that will go to "sport 80" node
tc filter add dev imq1 protocol ip parent 1: prio 1 u32 match ip src 
10.10.10.10 match ip sport 80 0xffff flowid 1:20
// filter to match the rest of the traffic from 10.10.10.10 (going 
to "default")
tc filter add dev imq1 protocol ip parent 1: prio 1 u32 match ip src 
10.10.10.10 flowid 1:20

-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Andy Furniss]

Salatiel Filho wrote:
> How can i redirect all traffic that not come from port 80 to a flow ?
> 
> i was thing about some like
> 
> tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport
> !80 ......
> 
> But this not work.
> 
> Another doubt, if i have two rules that intersects , for example ,
> one filter with u32 match ip src 10.10.10.10 flowid 1:10
> and other with u32 match sport 80 0xffff flowid 1:11 , which one will
> work in case of a packet to 10.10.10.10 with sport 80 ???

You need to use prio to order the rules - anything after a rule that 
matches port 80 will be ! 80 - you cannot make a rule that negates 
matches directly. If the structure of your htb etc is deep you can make 
filters attach to parents other than root, but you need to filter the 
traffic to those flowids first. You can match more than one thing with 
one filter rule so you can match prio X src ip and 80 then follow with 
prio (X+1) src ip.

Andy.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Salatiel Filho]

>On 5/3/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:
> Salatiel Filho wrote:
> > How can i redirect all traffic that not come from port 80 to a flow ?
> >
> > i was thing about some like
> >
> > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip sport
> > !80 ......
> >
> > But this not work.
> >
> > Another doubt, if i have two rules that intersects , for example ,
> > one filter with u32 match ip src 10.10.10.10 flowid 1:10
> > and other with u32 match sport 80 0xffff flowid 1:11 , which one will
> > work in case of a packet to 10.10.10.10 with sport 80 ???
>
> You need to use prio to order the rules - anything after a rule that
> matches port 80 will be ! 80 - you cannot make a rule that negates
> matches directly. If the structure of your htb etc is deep you can make
> filters attach to parents other than root, but you need to filter the
> traffic to those flowids first. You can match more than one thing with
> one filter rule so you can match prio X src ip and 80 then follow with
> prio (X+1) src ip.
>
> Andy.
>
>
Well , i am having a few troubles making this work.
I have some like this in pseudo tc rulez :)
  Root class
        Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254
        Class 2 paret ROOT prio 0 filter u32 match dport 22
        Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254
        default

Shouldn't traffic from source port 80 and destination 10.0.0.254 go
through class 1 ?
I can not make a way to this work, traffic to 10.0.0.254 is always
falling in to class 3 :/
Am i missing something ?



-- 
[]'s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
   diante de um  idiota que banca o inteligente".
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Andy Furniss]

Salatiel Filho wrote:

> Well , i am having a few troubles making this work.
> I have some like this in pseudo tc rulez :)
>  Root class
>        Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254
>        Class 2 paret ROOT prio 0 filter u32 match dport 22
>        Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254
>        default
> 
> Shouldn't traffic from source port 80 and destination 10.0.0.254 go
> through class 1 ?
> I can not make a way to this work, traffic to 10.0.0.254 is always
> falling in to class 3 :/
> Am i missing something ?

prio 1 is the top prio for filters 0 ends up much lower.

I think two prio 1s should work in order of entry, but I would use 1 and 
2 to be sure. I have seen reverse order of entry if you don't use prio 
at all ...

tc -s filter ls dev $DEV parent X:Y

should help you see what's going on.

Andy.



_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Salatiel Filho]

On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:
> Salatiel Filho wrote:
>
> > Well , i am having a few troubles making this work.
> > I have some like this in pseudo tc rulez :)
> >  Root class
> >        Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 10.0.0.254
> >        Class 2 paret ROOT prio 0 filter u32 match dport 22
> >        Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254
> >        default
> >
> > Shouldn't traffic from source port 80 and destination 10.0.0.254 go
> > through class 1 ?
> > I can not make a way to this work, traffic to 10.0.0.254 is always
> > falling in to class 3 :/
> > Am i missing something ?
>
> prio 1 is the top prio for filters 0 ends up much lower.
>
> I think two prio 1s should work in order of entry, but I would use 1 and
> 2 to be sure. I have seen reverse order of entry if you don't use prio
> at all ...
>
> tc -s filter ls dev $DEV parent X:Y
>
> should help you see what's going on.
>
> Andy.
>
>
>
>

Changed to this:

tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1
tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit
prio 7 quantum 1500  # DEFAULT

tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil
1024kbit prio 0 quantum 1500
tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst
192.168.10.1 match ip sport 80 0xffff flowid 1:2  # FROM HTTP DEST TO
192.168.10.1

tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil
1024kbit prio 0 quantum 1500
tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil
1024kbit prio 7 quantum 1500
tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst
192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1

But all traffic is still flowing to 1:900  :/





-- 
[]'s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
   diante de um  idiota que banca o inteligente".
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Andy Furniss]

Salatiel Filho wrote:
> On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:
>> Salatiel Filho wrote:
>>
>> > Well , i am having a few troubles making this work.
>> > I have some like this in pseudo tc rulez :)
>> >  Root class
>> >        Class 1 parent ROOT prio 0 filter u32 match sport 80 dst 
>> 10.0.0.254
>> >        Class 2 paret ROOT prio 0 filter u32 match dport 22
>> >        Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254
>> >        default
>> >
>> > Shouldn't traffic from source port 80 and destination 10.0.0.254 go
>> > through class 1 ?
>> > I can not make a way to this work, traffic to 10.0.0.254 is always
>> > falling in to class 3 :/
>> > Am i missing something ?
>>
>> prio 1 is the top prio for filters 0 ends up much lower.
>>
>> I think two prio 1s should work in order of entry, but I would use 1 and
>> 2 to be sure. I have seen reverse order of entry if you don't use prio
>> at all ...
>>
>> tc -s filter ls dev $DEV parent X:Y
>>
>> should help you see what's going on.
>>
>> Andy.
>>
>>
>>
>>
> 
> Changed to this:
> 
> tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1
> tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit
> prio 7 quantum 1500  # DEFAULT
> 
> tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil
> 1024kbit prio 0 quantum 1500
> tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst
> 192.168.10.1 match ip sport 80 0xffff flowid 1:2  # FROM HTTP DEST TO
> 192.168.10.1
> 
> tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil
> 1024kbit prio 0 quantum 1500
> tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil
> 1024kbit prio 7 quantum 1500
> tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst
> 192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1
> 
> But all traffic is still flowing to 1:900  :/

Hmm that should work - as long as imq1 hooks in prerouting and after nat 
  if it goes to 1:900 and not 1:5 I suppose it is seeing the address OK.

This is ingress traffic and you are downloading from an http server?

The way you have set up htb the classes won't share bandwidth.

What does tc -s filter ls dev imq1 show?

Andy.



_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc u32 match !port

[Salatiel Filho]

On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:
> Salatiel Filho wrote:
> > On 5/5/07, Andy Furniss <lists@andyfurniss.entadsl.com> wrote:
> >> Salatiel Filho wrote:
> >>
> >> > Well , i am having a few troubles making this work.
> >> > I have some like this in pseudo tc rulez :)
> >> >  Root class
> >> >        Class 1 parent ROOT prio 0 filter u32 match sport 80 dst
> >> 10.0.0.254
> >> >        Class 2 paret ROOT prio 0 filter u32 match dport 22
> >> >        Class 3 parent ROOT prio 7 filter u32 match dst 10.0.0.254
> >> >        default
> >> >
> >> > Shouldn't traffic from source port 80 and destination 10.0.0.254 go
> >> > through class 1 ?
> >> > I can not make a way to this work, traffic to 10.0.0.254 is always
> >> > falling in to class 3 :/
> >> > Am i missing something ?
> >>
> >> prio 1 is the top prio for filters 0 ends up much lower.
> >>
> >> I think two prio 1s should work in order of entry, but I would use 1 and
> >> 2 to be sure. I have seen reverse order of entry if you don't use prio
> >> at all ...
> >>
> >> tc -s filter ls dev $DEV parent X:Y
> >>
> >> should help you see what's going on.
> >>
> >> Andy.
> >>
> >>
> >>
> >>
> >
> > Changed to this:
> >
> > tc qdisc add dev imq1 root handle 1: htb default 5 r2q 1
> > tc class add dev imq1 parent 1: classid 1:5 htb rate 8kbit ceil 8kbit
> > prio 7 quantum 1500  # DEFAULT
> >
> > tc class add dev imq1 parent 1: classid 1:2 htb rate 1024kbit ceil
> > 1024kbit prio 0 quantum 1500
> > tc filter add dev imq1 parent 1: protocol ip prio 1 u32 match ip dst
> > 192.168.10.1 match ip sport 80 0xffff flowid 1:2  # FROM HTTP DEST TO
> > 192.168.10.1
> >
> > tc class add dev imq1 parent 1: classid 1:3 htb rate 1024kbit ceil
> > 1024kbit prio 0 quantum 1500
> > tc class add dev imq1 parent 1:3 classid 1:900 htb rate 1024kbit ceil
> > 1024kbit prio 7 quantum 1500
> > tc filter add dev imq1 parent 1: protocol ip prio 7 u32 match ip dst
> > 192.168.10.1 flowid 1:900 # ANY OTHER TRAFFIC TO 192.168.10.1
> >
> > But all traffic is still flowing to 1:900  :/
>
> Hmm that should work - as long as imq1 hooks in prerouting and after nat
>   if it goes to 1:900 and not 1:5 I suppose it is seeing the address OK.
Yes , IMQ  hooks in prerouting after nat , i have a very odd setup.

>
> This is ingress traffic and you are downloading from an http server?
Yeah :)

>
> The way you have set up htb the classes won't share bandwidth.
I know , i need this in this class, like a said a odd setup :)
>
> What does tc -s filter ls dev imq1 show?
Right now i can not copy the output here. But when i took a look i had
ZERO packets going   through that class :/

>
> Andy.
>
>
>
>


-- 
[]'s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
   diante de um  idiota que banca o inteligente".
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc