iproute2 action/policer question

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Paweł Staszewski" <pstaszewski@itcare.pl>
To: Linux Network Development list <netdev@vger.kernel.org>
Subject: iproute2 action/policer question
Date: Tue, 09 Jun 2009 22:10:46 +0200	[thread overview]
Message-ID: <4A2EC1C6.10806@itcare.pl> (raw)

Hello

I ask this question here
Someone here know proper use of iproute actions/policers ?
i want to achive somethink like this

$TC qdisc del dev eth0 root

$TC qdisc add dev eth0 root handle 1: hfsc default 10


$TC class add dev eth0 parent 1:0 classid 1:2 hfsc ls m2 1kbit ul m2 
10240kbit
$TC class add dev eth0 parent 1:0 classid 1:3 hfsc ls m2 1kbit ul m2 
10240kbit
$TC class add dev eth0 parent 1:0 classid 1:10 hfsc ls m2 1kbit ul m2 
10240kbit

$TC filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip src 
10.0.0.1 flowid 1:2
$TC qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 120
#$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
0/0 flowid 1:3
$TC qdisc add dev eth0 parent 1:3 handle 3: sfq perturb 120


#$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
0/0 flowid 1:3 action ipt -j MARK --set-mark 0x555 drop

$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 \
  match ip src 0/0 flowid 1:3 \
  action ipt -j MARK --set-mark 1 \
  action police rate 1kbit burst 1k drop

So i want to MARK packet by use of action then pass packet to next 
action and drop if exceed 1kbit

This is only a sample but is not working

tc -s -d filter show dev eth0
filter parent 1: protocol ip pref 2 u32
filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 
800 bkt 0 flowid 1:2  (rule hit 7913 success 7803)
  match 5ef6801c/ffffffff at 12 (success 7803 )
filter parent 1: protocol ip pref 10 u32
filter parent 1: protocol ip pref 10 u32 fh 801: ht divisor 1
filter parent 1: protocol ip pref 10 u32 fh 801::800 order 2048 key ht 
801 bkt 0 flowid 1:3  (rule hit 110 success 110)
  match 00000000/00000000 at 12 (success 110 )
        action order 1: tablename: mangle  hook: NF_IP_POST_ROUTING
        target MARK xset 0x1/0xffffffff
        index 13 ref 1 bind 1 installed 407 sec used 2 sec
        Action statistics:
        Sent 42351 bytes 110 pkt (dropped 0, overlimits 0 requeues 0)
        rate 0bit 0pps backlog 0b 0p requeues 0

        action order 2:  police 0x4 rate 1000bit burst 1023b mtu 2Kb 
action drop overhead 0b
ref 1 bind 1
        Action statistics:
        Sent 42351 bytes 110 pkt (dropped 0, overlimits 32 requeues 0)
        rate 0bit 0pps backlog 0b 0p requeues 0

iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 19M packets, 19G bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match 0x1 LOG flags 0 level 4

Chain INPUT (policy ACCEPT 19M packets, 19G bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match 0x1 LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 11M packets, 17G bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain POSTROUTING (policy ACCEPT 11M packets, 17G bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match 0x1 LOG flags 0 level 4






Also is there someone who knows which actions from iptables can be used 
in iproute2 ?
because command like this ios not working:
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
0/0 flowid 1:3 action ipt -j LOG
 failed to find target LOG

bad action parsing
parse_action: bad value (3:ipt)!
Illegal "action"


iptables -t mangle -A FORWARD -j LOG
is working.
lsmod
Module                  Size  Used by
ipt_LOG                 4696  3
act_ipt                 3776  1
ifb                     3444  0
act_mirred              3328  0



What is the clue of this
So i want to make filter rule on the end of some traffic management 
based on iproute2 (this filter rule will be like default class so it 
catch all unclassified traffic and LOG or MARK this traffic, and i can 
know that somewhere in my net is unclassified ip address.)
Because in normal operation if you use only iproute2 you have default 
class and you dont know what is going to this default class - this is 
hard if you use hfsc because of default class that is always active and 
matches all traffic from interface that root is attached.

next             reply	other threads:[~2009-06-09 20:10 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-09 20:10 Paweł Staszewski [this message]
2009-06-15 11:19 ` iproute2 action/policer question Jarek Poplawski
2009-06-15 13:32   ` jamal
2009-06-15 14:52     ` Jarek Poplawski
2009-06-15 16:09       ` Paweł Staszewski
2009-06-15 16:37         ` Jarek Poplawski
2009-06-15 16:44           ` Jarek Poplawski
2009-06-15 17:08             ` Paweł Staszewski
2009-06-15 20:07               ` Jarek Poplawski
2009-06-16 12:04       ` jamal
2009-06-17  6:14         ` Jarek Poplawski
2009-06-17  6:28           ` Jarek Poplawski
2009-06-17  6:45             ` Jarek Poplawski
2009-06-17  9:01             ` Denys Fedoryschenko
2009-06-17  9:26               ` Jarek Poplawski
2009-06-17 13:09                 ` jamal
2009-06-17 13:30                   ` Andreas Henriksson
2009-06-17 19:43                   ` Jarek Poplawski
2009-06-18 13:19                     ` jamal
2009-06-18 18:39                       ` Jarek Poplawski
2009-06-15 21:47     ` [PATCH] " Jarek Poplawski
2009-06-16 12:07       ` jamal
2009-06-16 18:33     ` [PATCH v2] " Jarek Poplawski
2009-06-17  9:33       ` Paweł Staszewski
2009-06-18  1:57       ` David Miller
2009-06-15 16:13   ` Paweł Staszewski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A2EC1C6.10806@itcare.pl \
    --to=pstaszewski@itcare.pl \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).