[PATCH iproute2] man: tc-u32: Fix page to match new firstfrag behavior

[PATCH iproute2] man: tc-u32: Fix page to match new firstfrag behavior

[Anssi Hannula]

Commit 690b11f4a6b8 ("tc: u32: Fix firstfrag filter.") applied in 2012
changed the "ip firstfrag" selector to not match non-fragmented packets
anymore.

However, the documentation added in f15a23966fff ("tc: add a man page
for u32 filter") in 2015 includes an example that relies on the previous
behavior (non-fragmented packet counted as first fragment).

Due to this, the example does not work correctly and does not actually
classify regular SSH packets.

Modify the example to use a raw u16 selector on the fragment offset to
make it work, and also make the firstfrag description more clear about
the current behavior.

Fixes: f15a23966fff ("tc: add a man page for u32 filter")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Phil Sutter <phil@nwl.cc>
Cc: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
---

I suspect the original behavior was intentional, but the new one has
been out for 9 years now so I guess it is too late to change again.

 man/man8/tc-u32.8 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/man/man8/tc-u32.8 b/man/man8/tc-u32.8
index fec9af7f..507589bd 100644
--- a/man/man8/tc-u32.8
+++ b/man/man8/tc-u32.8
@@ -427,7 +427,7 @@ Also minimal header size for IPv4 and lack of IPv6 extension headers is assumed.
 IPv4 only, check certain flags and fragment offset values. Match if the packet
 is not a fragment
 .RB ( nofrag ),
-the first fragment
+the first fragment of a fragmented packet
 .RB ( firstfrag ),
 if Don't Fragment
 .RB ( df )
@@ -644,7 +644,7 @@ tc filter add dev eth0 parent 1:0 protocol ip \\
 tc filter add dev eth0 parent 1:0 protocol ip \\
         u32 ht 800: \\
         match ip protocol 6 FF \\
-        match ip firstfrag \\
+        match u16 0 1fff at 6 \\
         offset at 0 mask 0f00 shift 6 \\
         link 1:
 .EE
-- 
2.31.1

Re: [PATCH iproute2] man: tc-u32: Fix page to match new firstfrag behavior

[Phil Sutter]

On Thu, Nov 04, 2021 at 04:42:05PM +0200, Anssi Hannula wrote:
> Commit 690b11f4a6b8 ("tc: u32: Fix firstfrag filter.") applied in 2012
> changed the "ip firstfrag" selector to not match non-fragmented packets
> anymore.
> 
> However, the documentation added in f15a23966fff ("tc: add a man page
> for u32 filter") in 2015 includes an example that relies on the previous
> behavior (non-fragmented packet counted as first fragment).
> 
> Due to this, the example does not work correctly and does not actually
> classify regular SSH packets.
> 
> Modify the example to use a raw u16 selector on the fragment offset to
> make it work, and also make the firstfrag description more clear about
> the current behavior.
> 
> Fixes: f15a23966fff ("tc: add a man page for u32 filter")
> Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
> Cc: Phil Sutter <phil@nwl.cc>
> Cc: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>

Acked-by: Phil Sutter <phil@nwl.cc>

> I suspect the original behavior was intentional, but the new one has
> been out for 9 years now so I guess it is too late to change again.

At least it seems nobody really depends on the old behaviour (or doesn't
update iproute2 then). :)

Thanks, Phil