Re: iproute2 action/policer question

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Paweł Staszewski" <pstaszewski@itcare.pl>
To: Jarek Poplawski <jarkao2@gmail.com>
Cc: Linux Network Development list <netdev@vger.kernel.org>,
	Jamal Hadi Salim <hadi@cyberus.ca>
Subject: Re: iproute2 action/policer question
Date: Mon, 15 Jun 2009 18:13:32 +0200	[thread overview]
Message-ID: <4A36732C.8080903@itcare.pl> (raw)
In-Reply-To: <20090615111927.GA12316@ff.dom.local>

Jarek Poplawski pisze:
> On 09-06-2009 22:10, Paweł Staszewski wrote:
>   
>> Hello
>>
>> I ask this question here
>> Someone here know proper use of iproute actions/policers ?
>> i want to achive somethink like this
>>     
>
> Hi,
> I'm not actions/policers expert but here are a few comments.
>
>   
>> $TC qdisc del dev eth0 root
>>
>> $TC qdisc add dev eth0 root handle 1: hfsc default 10
>>
>>
>> $TC class add dev eth0 parent 1:0 classid 1:2 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:3 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:10 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip src 
>> 10.0.0.1 flowid 1:2
>> $TC qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 120
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3
>> $TC qdisc add dev eth0 parent 1:3 handle 3: sfq perturb 120
>>
>>
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3 action ipt -j MARK --set-mark 0x555 drop
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 10 u32 \
>>   match ip src 0/0 flowid 1:3 \
>>   action ipt -j MARK --set-mark 1 \
>>   action police rate 1kbit burst 1k drop
>>
>> So i want to MARK packet by use of action then pass packet to next 
>> action and drop if exceed 1kbit
>>
>> This is only a sample but is not working
>>     
>
> IMHO something like this should work. (I've checked it with a bit
> higher police rates/burst and htb.) I'm not sure you've properly
> checked the effects, because these stats below could be simply
> not updated etc.
>
>   
>> tc -s -d filter show dev eth0
>> filter parent 1: protocol ip pref 2 u32
>> filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
>> filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 
>> 800 bkt 0 flowid 1:2  (rule hit 7913 success 7803)
>>   match 5ef6801c/ffffffff at 12 (success 7803 )
>> filter parent 1: protocol ip pref 10 u32
>> filter parent 1: protocol ip pref 10 u32 fh 801: ht divisor 1
>> filter parent 1: protocol ip pref 10 u32 fh 801::800 order 2048 key ht 
>> 801 bkt 0 flowid 1:3  (rule hit 110 success 110)
>>   match 00000000/00000000 at 12 (success 110 )
>>         action order 1: tablename: mangle  hook: NF_IP_POST_ROUTING
>>         target MARK xset 0x1/0xffffffff
>>         index 13 ref 1 bind 1 installed 407 sec used 2 sec
>>         Action statistics:
>>         Sent 42351 bytes 110 pkt (dropped 0, overlimits 0 requeues 0)
>>         rate 0bit 0pps backlog 0b 0p requeues 0
>>
>>         action order 2:  police 0x4 rate 1000bit burst 1023b mtu 2Kb 
>> action drop overhead 0b
>> ref 1 bind 1
>>         Action statistics:
>>         Sent 42351 bytes 110 pkt (dropped 0, overlimits 32 requeues 0)
>>         rate 0bit 0pps backlog 0b 0p requeues 0
>>
>> iptables -L -n -v -t mangle
>>     
>
> I don't know exactly the ipt action internals, so I could be wrong,
> but it seems it marks packets as expected, but it could be done out
> of the iptables chain so after these LOGs. Anyway, I managed to use it
> with fw filter to classify according to the mark.
>
>   
>> Chain PREROUTING (policy ACCEPT 19M packets, 19G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>> Chain INPUT (policy ACCEPT 19M packets, 19G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>> Chain OUTPUT (policy ACCEPT 11M packets, 17G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 11M packets, 17G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>>
>>
>>
>>
>>
>> Also is there someone who knows which actions from iptables can be used 
>> in iproute2 ?
>>     
>
> According to iproute2/doc/actions/actions_general mangle targets
> should work; and you could also try (if it doesn't work then probably
> it can't be used...;-)
>
> But... I'm neither able to configure/compile it with the current
> iproute2/iptables, nor test it with distro's builds (Debian testing).
> After some checking I found iproute2 needs updating, because iptables
> changes API (xtables.h) virtually with every new version, so I don't
> even blame the ipt author or distro maintainer.
>
>   
>> because command like this ios not working:
>> tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3 action ipt -j LOG
>>  failed to find target LOG
>>
>> bad action parsing
>> parse_action: bad value (3:ipt)!
>> Illegal "action"
>>
>>
>> iptables -t mangle -A FORWARD -j LOG
>> is working.
>> lsmod
>> Module                  Size  Used by
>> ipt_LOG                 4696  3
>> act_ipt                 3776  1
>> ifb                     3444  0
>> act_mirred              3328  0
>>
>>
>>
>> What is the clue of this
>> So i want to make filter rule on the end of some traffic management 
>> based on iproute2 (this filter rule will be like default class so it 
>> catch all unclassified traffic and LOG or MARK this traffic, and i can 
>> know that somewhere in my net is unclassified ip address.)
>> Because in normal operation if you use only iproute2 you have default 
>> class and you dont know what is going to this default class - this is 
>> hard if you use hfsc because of default class that is always active and 
>> matches all traffic from interface that root is attached.
>>     
>
> I guess, after studying these iproute2 docs examples you should be
> able to do such tricks eg. with mirred and other actions even without
> ipt. Or you could ask authors for more docs...
>
>   
Yes. i know that i can make mirred redirect action to some dummy 
inteface and then i can log on this device using iptables "LOG" target 
(and this is working for me now) but i was thinking about something 
simpler/faster and without special copying packets to dummy or ifb device.



> Cheers,
> Jarek P.
>
> PS: the tc classifier maintainer added to Cc.
>
>
>   


Regards
Paweł Staszewski

     prev parent reply	other threads:[~2009-06-15 16:13 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-09 20:10 iproute2 action/policer question Paweł Staszewski
2009-06-15 11:19 ` Jarek Poplawski
2009-06-15 13:32   ` jamal
2009-06-15 14:52     ` Jarek Poplawski
2009-06-15 16:09       ` Paweł Staszewski
2009-06-15 16:37         ` Jarek Poplawski
2009-06-15 16:44           ` Jarek Poplawski
2009-06-15 17:08             ` Paweł Staszewski
2009-06-15 20:07               ` Jarek Poplawski
2009-06-16 12:04       ` jamal
2009-06-17  6:14         ` Jarek Poplawski
2009-06-17  6:28           ` Jarek Poplawski
2009-06-17  6:45             ` Jarek Poplawski
2009-06-17  9:01             ` Denys Fedoryschenko
2009-06-17  9:26               ` Jarek Poplawski
2009-06-17 13:09                 ` jamal
2009-06-17 13:30                   ` Andreas Henriksson
2009-06-17 19:43                   ` Jarek Poplawski
2009-06-18 13:19                     ` jamal
2009-06-18 18:39                       ` Jarek Poplawski
2009-06-15 21:47     ` [PATCH] " Jarek Poplawski
2009-06-16 12:07       ` jamal
2009-06-16 18:33     ` [PATCH v2] " Jarek Poplawski
2009-06-17  9:33       ` Paweł Staszewski
2009-06-18  1:57       ` David Miller
2009-06-15 16:13   ` Paweł Staszewski [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A36732C.8080903@itcare.pl \
    --to=pstaszewski@itcare.pl \
    --cc=hadi@cyberus.ca \
    --cc=jarkao2@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).