[LARTC] More layer7 filtering issues

[LARTC] More layer7 filtering issues

[Derek]

Hi all,

So, I've gotten a jist of a script going for my layer7 filters, but for some 
reason its not rejecting the packets. Can someone give me a hand with this? 
(I know, the script is probably ugly as sin, but I've hacked it together from 
some misc stuff).

source:
-----------------------------------
tc qdisc add dev $1 root handle 1: htb default 30
tc class add dev $1 parent 1: classid 1:1 htb rate 9mbit burst 15k
#set up three classes attached to the root
tc class add dev $1 parent 1:1 classid 1:10 htb rate 20kbit burst 15k
tc class add dev $1 parent 1:1 classid 1:20 htb rate 2mbit burst 15k
tc class add dev $1 parent 1:1 classid 1:30 htb rate 5mbit burst 15k
#make each of them use stochasitic fairness queueing
tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $1 parent 1:30 handle 30: sfq perturb 10

tc filter add dev $1 protocol ip parent 1:0 prio 1 handle 1 layer7 protocol 
msnmessenger classid 1:10
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol smtp 
classid 1:20
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol ssh 
classid 1:30

iptables -A FORWARD -s 10.0.0.0/24 --match mark --mark 1 -j REJECT

Would the iptables rule have any effect whatsoever? I don't think so, but it 
would be nice. 

Output of tc -s class show dev eth1
-----------------------------------------------------------------
class htb 1:1 root rate 9Mbit ceil 9Mbit burst 15334b cburst 12974b
 Sent 25012 bytes 287 pkts (dropped 0, overlimits 0)
 rate 2bps
 lended: 0 borrowed: 0 giants: 0
 tokens: 13 ctokens: 11

class htb 1:10 parent 1:1 leaf 10: prio 0 rate 20Kbit ceil 20Kbit burst 15Kb 
cburst 1623b
 Sent 8625 bytes 116 pkts (dropped 0, overlimits 0)
 rate 1bps
 lended: 116 borrowed: 0 giants: 0
 tokens: 5975 ctokens: 609

class htb 1:20 parent 1:1 leaf 20: prio 0 rate 2Mbit ceil 2Mbit burst 15204b 
cburst 4194b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 58 ctokens: 16

class htb 1:30 parent 1:1 leaf 30: prio 0 rate 5Mbit ceil 5Mbit burst 15072b 
cburst 7863b
 Sent 16387 bytes 171 pkts (dropped 0, overlimits 0)
 rate 1bps
 lended: 171 borrowed: 0 giants: 0
 tokens: 23 ctokens: 12
----

So, 1:10 is getting data passed through it, but I can't figure out a way to 
attach a policing filter that just drops them all into oblivion.


Any help is muy appreciated.

Derek
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] More layer7 filtering issues

[Thomas Graf]

Hi

> So, 1:10 is getting data passed through it, but I can't figure out a way to 
> attach a policing filter that just drops them all into oblivion.

tc filter add dev $DEV parent ffff: \
   protocol ip prio 20 \
   u32 match ip protocol 1 0xff \
   police mtu 1 drop \
   flowid :1

Drops all packets with a length > 1 byte which is probably
what you want.

Regards,

-- 
Thomas GRAF
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] More layer7 filtering issues

[Derek]

Ah, duh, I probably should stop looking at things prior to my morning 
startbucks intake. Much obliged, though, thats exactly what I was looking 
for. 

Thanks!
Derek

On Friday 26 September 2003 09:44 am, Thomas Graf wrote:
> > 	So, by the looks of things, that is going to drop all of the packets,
> > not just class 1:10? or am I mistaken?
>
> It actually drops all incoming icmp packets. it's just an
> example of how to use policer to drop all packets.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] More layer7 filtering issues

[Derek]

Heh, I'm attempting to get it to work... I'm just not sure how I can/if I can 
combine two filters together, or at least attach them to the same class... I 
guess the ideal solution would be a sub filter of a filter, or maybe 
attaching a filter to another filter, but thats probably a little 
blasphemist. I really want to be able to do this without hacking the kernel 
source. Its probably much easier to get an lartc patch committed than a 
kernel one. 

Right now, I'm using 2.5.75 w/ the layer7 patch to try it out, but as soon as 
I finish my backports of the new layer7 patches to 2.4, I'll give 2.4 a shot. 
(2.6 is awesome, but I kept getting panics when using tc to shape with a 
pre-empt enabled kernel). 

If you come up with anything, let me know, otherwise I'll post to the list 
when/if I get it working :)

Thanks,
Derek

On Friday 26 September 2003 10:11 am, you wrote:
> > > > 	So, by the looks of things, that is going to drop all of the
> > > > packets, not just class 1:10? or am I mistaken?
> > >
> > > It actually drops all incoming icmp packets. it's just an
> > > example of how to use policer to drop all packets.
> >
> > Ah, duh, I probably should stop looking at things prior to my morning
> > startbucks intake. Much obliged, though, thats exactly what I was looking
> > for.
>
> Have you managed to use the layer7 filter to block things, then?  I still
> haven't, even given that example code. (It's rather frustrating that the
> kernel hacking part of this is _easier_ than actually controlling it with
> tc...)  If you have, I'd like to see how you did it.
>
> -matthew
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/