From: Andrei Boros <andrei@srr.ro>
To: lartc@vger.kernel.org
Subject: [LARTC] ipip and nexthdr
Date: Mon, 02 Dec 2002 09:47:42 +0000 [thread overview]
Message-ID: <marc-lartc-103882255011918@msgid-missing> (raw)
After carefull reading (LARTC) and experimentation, I am in a dead
end...
I am using several IPIP tunnels (linux ipip module, IP protocol 4).
I'd like to filter packets going through these tunnes to different
classes, on the ingress device, based on source and destination IP
_INSIDE THE TUNNEL_.
First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to
the next header in the packet, so I figured if it works for TCP, it
should also work for IP in IP, but it didn't.
I looked at some ICMP echo request/reply packets with tcpdump dumping
packet contents in hex.
The IP header is 20 bytes. I tried the following:
a.b.c.d is an IP inside the tunnel.
tc filter ... u32 match ip src a.b.c.d at nexthdr+0
I assumed this would go to the inner ip header, ip src will set the
correct offset. WRONG.
tc filter ... u32 match ip src a.b.c.d at nexthdr+12
This should point to the source address in the IP header, in the next
header = the tunnel.
WRONG.
tc filter ... u32 match 0xaabbccdd 0xffffffff at 32
CORRECT. this correctly matches the source ip inside the tunnel
I browsed a lot inside the source of tc (from iproute) but how nexthdr
works is still unclear to me.
However, I'd like to be able to make the filter selections with ip src,
ip dst sport, dport inside the tunnel, before decapsulation.
--
ing. Andrei Boros
mailto:andrei@srr.ro / +40-21-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2002-12-02 9:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-02 9:47 Andrei Boros [this message]
2002-12-02 9:52 ` [LARTC] ipip and nexthdr Abraham van der Merwe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103882255011918@msgid-missing \
--to=andrei@srr.ro \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.