[LARTC] U32 filter for IPSEC (ESP)

[LARTC] U32 filter for IPSEC (ESP)

[Gilles Douillet]

Hi all,

After reading a lot and searching on the INternet, I want to filter ASP
and/or AH traffic

According to /etc/protocols ESP and AH are IP protos 50 and 51

so this u32 filter should work ? (I can use fw filter because the
firewall/VPN can't mark pakets :-(

tc filter add dev ethX parent X:0 protocol ip prio X u32 match ip protocol
50 0xff flowid X:XX ?

Can someone confirm this ?

Many thanks

G.



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] U32 filter for IPSEC (ESP)

[bert hubert]

On Mon, Jan 06, 2003 at 12:49:54AM +0100, Gilles Douillet wrote:

> so this u32 filter should work ? (I can use fw filter because the
> firewall/VPN can't mark pakets :-(
> 
> tc filter add dev ethX parent X:0 protocol ip prio X u32 match ip protocol
> 50 0xff flowid X:XX ?

Looks fine, but try proving it - just send this traffic to anotherwise empty
class and run 'tc -s qdisc ls dev eth0' and 'tc -s class ls dev eth0' to see
if the counters change.

Regards,

bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
http://netherlabs.nl                         Consulting
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/