tc match MAC destination

tc match MAC destination

[Andrei Popa]

Hello,

I want to shape PVSTP+ traffic (traffic that has MAC destination
01:00:0c:cc:cc:cd) and it doesn't work.
I've tried
filter parent 1: protocol 802_3 pref 2 u32 fh 802::11 order 17 key ht
802 bkt 0 flowid 1:3 
  match 01000ccc/ffffffff at 0
but it doesn't work.

With
filter parent 1: protocol arp pref 1 u32 
filter parent 1: protocol arp pref 1 u32 fh 801: ht divisor 1 
filter parent 1: protocol arp pref 1 u32 fh 801::7 order 7 key ht 801
bkt 0 flowid 1:3 
  match 00000000/00000000 at 0
filter parent 1: protocol 802_3 pref 2 u32 
filter parent 1: protocol 802_3 pref 2 u32 fh 802: ht divisor 1 
filter parent 1: protocol 802_3 pref 2 u32 fh 802::3 order 3 key ht 802
bkt 0 flowid 1:3 
  match 00000000/00000000 at 0
        action order 1: mirred (Egress Mirror to device ifb1) pipe
        index 1923 ref 1 bind 1

I see arp trafic with tcpdump on ifb1, but no STP traffic or any kind of
traffic except arp, because I've matched all MAC addreses.
Can somebody verify that this match works ?

I use kernel 2.6.39.1.

Thank you,
-- 
Andrei Popa
0760 683 280

Re: tc match MAC destination

[Eric Dumazet]

Le mercredi 15 juin 2011 à 11:12 +0300, Andrei Popa a écrit :
> Hello,
> 
> I want to shape PVSTP+ traffic (traffic that has MAC destination
> 01:00:0c:cc:cc:cd) and it doesn't work.
> I've tried
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::11 order 17 key ht
> 802 bkt 0 flowid 1:3 
>   match 01000ccc/ffffffff at 0
> but it doesn't work.
> 
> With
> filter parent 1: protocol arp pref 1 u32 
> filter parent 1: protocol arp pref 1 u32 fh 801: ht divisor 1 
> filter parent 1: protocol arp pref 1 u32 fh 801::7 order 7 key ht 801
> bkt 0 flowid 1:3 
>   match 00000000/00000000 at 0
> filter parent 1: protocol 802_3 pref 2 u32 
> filter parent 1: protocol 802_3 pref 2 u32 fh 802: ht divisor 1 
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::3 order 3 key ht 802
> bkt 0 flowid 1:3 
>   match 00000000/00000000 at 0
>         action order 1: mirred (Egress Mirror to device ifb1) pipe
>         index 1923 ref 1 bind 1
> 
> I see arp trafic with tcpdump on ifb1, but no STP traffic or any kind of
> traffic except arp, because I've matched all MAC addreses.
> Can somebody verify that this match works ?
> 
> I use kernel 2.6.39.1.
> 
> Thank you,

Hi Andrei

Since you refer to a very complex network setup, it would really help if
you provide a self contained script so that we can take a look.

We netdev guys saw your first mail days ago but are a bit busy, so the
7th point listed in "REPORTING-BUGS" would be nice :

[7.] A small shell script or example program which triggers the problem

Re: tc match MAC destination

[Thomas Graf]

On Wed, Jun 15, 2011 at 11:12:01AM +0300, Andrei Popa wrote:
> I want to shape PVSTP+ traffic (traffic that has MAC destination
> 01:00:0c:cc:cc:cd) and it doesn't work.
> I've tried
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::11 order 17 key ht
> 802 bkt 0 flowid 1:3 
>   match 01000ccc/ffffffff at 0
> but it doesn't work.

u32 offset 0 corresponds to the network layer and thus will
match the first byte of the ip layer or whatever protocol
is found on that layer.

You can use the cmp ematch to match on the mac layer:

Use something like this:
filter add basic match 'cmp(0x01000ccc at 0 layer link mask 0xffffffff)'

... cmp(>>help<<)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN  := { u8 | u16 | u32 }
       ATTRS  := [ layer LAYER ] [ mask MASK ] [ trans ]
       LAYER  := { link | network | transport | 0..2 }

Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20

Re: tc match MAC destination

[Stephen Hemminger]

On Wed, 15 Jun 2011 11:12:01 +0300
Andrei Popa <ierdnah@gmail.com> wrote:

> Hello,
> 
> I want to shape PVSTP+ traffic (traffic that has MAC destination
> 01:00:0c:cc:cc:cd) and it doesn't work.
> I've tried
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::11 order 17 key ht
> 802 bkt 0 flowid 1:3 
>   match 01000ccc/ffffffff at 0
> but it doesn't work.
> 
> With
> filter parent 1: protocol arp pref 1 u32 
> filter parent 1: protocol arp pref 1 u32 fh 801: ht divisor 1 
> filter parent 1: protocol arp pref 1 u32 fh 801::7 order 7 key ht 801
> bkt 0 flowid 1:3 
>   match 00000000/00000000 at 0
> filter parent 1: protocol 802_3 pref 2 u32 
> filter parent 1: protocol 802_3 pref 2 u32 fh 802: ht divisor 1 
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::3 order 3 key ht 802
> bkt 0 flowid 1:3 
>   match 00000000/00000000 at 0
>         action order 1: mirred (Egress Mirror to device ifb1) pipe
>         index 1923 ref 1 bind 1
> 
> I see arp trafic with tcpdump on ifb1, but no STP traffic or any kind of
> traffic except arp, because I've matched all MAC addreses.
> Can somebody verify that this match works ?
> 
> I use kernel 2.6.39.1.
> 
> Thank you,

If you use current iproute tools it is possible to use:
 tc filter ... match ether dst 01:00:0c:cc:cc:cd

which generates the necessary offset.

Re: tc match MAC destination

[jamal]

On Wed, 2011-06-15 at 11:12 +0300, Andrei Popa wrote:
> Hello,
> 
> I want to shape PVSTP+ traffic (traffic that has MAC destination
> 01:00:0c:cc:cc:cd) and it doesn't work.
> I've tried
> filter parent 1: protocol 802_3 pref 2 u32 fh 802::11 order 17 key ht
> 802 bkt 0 flowid 1:3 
>   match 01000ccc/ffffffff at 0
> but it doesn't work.
> 

MAC addresses are at -ve offsets.
dst MAC starts at -14
src MAC at -8
ethertype at -2

Example:
#match my laptops MAC address ( 00:0b:97:97:4d:6a)
#for incoming packets on eth0 and count arp packets...
#
tc filter add dev eth0 parent ffff: protocol arp prio 10 u32 \
match u16 0x000B 0xffff at -14 \
match u32 0x97974D6A 0xffffffff at -12 \
match u16 0x0806 0xffff at -2 \
flowid 1:12 \
action ok

cheers,
jamal

Re: tc match MAC destination - nothing matches on protocol 802_3

[Doru Theodor Petrescu]

I updated my scripts to use the 'tc filter ... match ether src/dst'
syntax. it really makes reading the script easier. thanks for the tip!

however the problem persists. I changed the rule to match ANY pachet of
type 802_3 and redirect it to ifb1. but nothing arrives on ifb1.

I tried to redirect ARP pachets using 'protocol arp' filter and it works
perfectly as expected.

so at this point the problem is no longer 'how to match ethernet header'
but rather 'how to match a pachet of type 802_3'. My feeling is that
there is a bug somewhere in kernel where the 'protocol 802_3' matching
happens.


I attach part of the script I use to generate the filters and classes. I
removed everything related to HTB and IP pachets because there is no
problem there. in case the formating is lost, you can download it from
here: http://evox.ro/kernel_netdev_tc_protocol_802.3/


Thx for any help,
Doru Theodor Petrescu
CTO, Evox Solutions SRL
http://evox.ro/



for DEV in bond0.2199 bond1.2199 bond0.3000 bond1.3001 ; do


   tc qdisc  del dev $DEV root

   tc qdisc  add dev $DEV root handle 1: htb default 2
   tc class  add dev $DEV parent 1: classid 1:1 htb rate 930000kbit ceil
930000kbit quantum 1600
   
   tc filter add dev $DEV parent 1: prio 5 protocol ip u32
# ==> 800:

   tc filter add dev $DEV parent 1: prio 1 protocol 0x0806 u32
# ==> 801:      protocol ARP
   tc filter add dev $DEV parent 1: prio 1 handle 801:0:7 protocol
0x0806 u32  match u32 0 0 flowid 1:3

   tc filter add dev $DEV parent 1: prio 2 protocol 802_3 u32
# ==> 802:

   tc filter add dev $DEV parent 1: prio 6 protocol ip u32
# ==> 803:


   tc filter replace dev $DEV parent 1: prio 2 handle 802:0:3  protocol
802_3 u32 match u16 0 0 at 0 flowid 1:3 action mirred egress mirror dev
ifb1
   tc filter replace dev $DEV parent 1: prio 2 handle 802:0:9  protocol
802_3 u32 match ether src 01:00:0c:cc:cc:cd flowid 1:3 action mirred
egress mirror dev ifb1
   tc filter replace dev $DEV parent 1: prio 2 handle 802:0:10 protocol
802_3 u32 match ether dst 01:00:0c:cc:cc:cd flowid 1:3 action mirred
egress mirror dev ifb1

done


# the 802_3 pachet filter:   
# 
# 802:0:3 should match ANY pachet of type 802_3 and mirror it to ifb1
# 802:0:9 and 802:0:10 should match any pachet with src/dst
01:00:0c:cc:cc:cd and mirror it to ifb1
#
# however NOTHING is going to ifb1    try 'tcpdump -nltve -i ifb1'
# at the same time 'tcpdump -nltve -i bond1.2199 ether host
0100.0ccc.cccd' will show about one pachet every second
# 


# at the same time the ARP filter works. you can mirror all ARP trafic
to IFB1 like this:
# tc filter replace dev $DEV parent 1: prio 1 handle 801:0:7 protocol
0x0806 u32  match u32 0 0 flowid 1:3 action mirred egress mirror dev
ifb1

Re: tc match MAC destination - nothing matches on protocol 802_3

[Stephen Hemminger]

On Thu, 16 Jun 2011 10:56:52 +0300
Doru Theodor Petrescu <pdoru.kernel@evox.ro> wrote:

> 
> 
> I updated my scripts to use the 'tc filter ... match ether src/dst'
> syntax. it really makes reading the script easier. thanks for the tip!
> 
> however the problem persists. I changed the rule to match ANY pachet of
> type 802_3 and redirect it to ifb1. but nothing arrives on ifb1.
> 
> I tried to redirect ARP pachets using 'protocol arp' filter and it works
> perfectly as expected.
> 
> so at this point the problem is no longer 'how to match ethernet header'
> but rather 'how to match a pachet of type 802_3'. My feeling is that
> there is a bug somewhere in kernel where the 'protocol 802_3' matching
> happens.
> 
> 
> I attach part of the script I use to generate the filters and classes. I
> removed everything related to HTB and IP pachets because there is no
> problem there. in case the formating is lost, you can download it from
> here: http://evox.ro/kernel_netdev_tc_protocol_802.3/
> 
> 
> Thx for any help,
> Doru Theodor Petrescu
> CTO, Evox Solutions SRL
> http://evox.ro/
> 
> 
> 
> for DEV in bond0.2199 bond1.2199 bond0.3000 bond1.3001 ; do
> 
> 
>    tc qdisc  del dev $DEV root
> 
>    tc qdisc  add dev $DEV root handle 1: htb default 2
>    tc class  add dev $DEV parent 1: classid 1:1 htb rate 930000kbit ceil
> 930000kbit quantum 1600
>    
>    tc filter add dev $DEV parent 1: prio 5 protocol ip u32
> # ==> 800:
> 
>    tc filter add dev $DEV parent 1: prio 1 protocol 0x0806 u32
> # ==> 801:      protocol ARP
>    tc filter add dev $DEV parent 1: prio 1 handle 801:0:7 protocol
> 0x0806 u32  match u32 0 0 flowid 1:3
> 
>    tc filter add dev $DEV parent 1: prio 2 protocol 802_3 u32
> # ==> 802:
> 
>    tc filter add dev $DEV parent 1: prio 6 protocol ip u32
> # ==> 803:
> 
> 
>    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:3  protocol
> 802_3 u32 match u16 0 0 at 0 flowid 1:3 action mirred egress mirror dev
> ifb1
>    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:9  protocol
> 802_3 u32 match ether src 01:00:0c:cc:cc:cd flowid 1:3 action mirred
> egress mirror dev ifb1
>    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:10 protocol
> 802_3 u32 match ether dst 01:00:0c:cc:cc:cd flowid 1:3 action mirred
> egress mirror dev ifb1
> 
> done
> 
> 
> # the 802_3 pachet filter:   
> # 
> # 802:0:3 should match ANY pachet of type 802_3 and mirror it to ifb1
> # 802:0:9 and 802:0:10 should match any pachet with src/dst
> 01:00:0c:cc:cc:cd and mirror it to ifb1
> #
> # however NOTHING is going to ifb1    try 'tcpdump -nltve -i ifb1'
> # at the same time 'tcpdump -nltve -i bond1.2199 ether host
> 0100.0ccc.cccd' will show about one pachet every second
> # 
> 
> 
> # at the same time the ARP filter works. you can mirror all ARP trafic
> to IFB1 like this:
> # tc filter replace dev $DEV parent 1: prio 1 handle 801:0:7 protocol
> 0x0806 u32  match u32 0 0 flowid 1:3 action mirred egress mirror dev
> ifb1

I think you want 802_2 to match STP frames. 802_3 is a dummy value
for the old Novell IPX encapsulation

Re: tc match MAC destination - nothing matches on protocol 802_3

[Doru Petrescu]

On Thu, 2011-06-16 at 08:51 -0700, Stephen Hemminger wrote:
> On Thu, 16 Jun 2011 10:56:52 +0300
> Doru Theodor Petrescu <pdoru.kernel@evox.ro> wrote:
> 
> > 
> > 
> > I updated my scripts to use the 'tc filter ... match ether src/dst'
> > syntax. it really makes reading the script easier. thanks for the tip!
> > 
> > however the problem persists. I changed the rule to match ANY pachet of
> > type 802_3 and redirect it to ifb1. but nothing arrives on ifb1.
> > 
> > I tried to redirect ARP pachets using 'protocol arp' filter and it works
> > perfectly as expected.
> > 
> > so at this point the problem is no longer 'how to match ethernet header'
> > but rather 'how to match a pachet of type 802_3'. My feeling is that
> > there is a bug somewhere in kernel where the 'protocol 802_3' matching
> > happens.
> > 
> > 
> > I attach part of the script I use to generate the filters and classes. I
> > removed everything related to HTB and IP pachets because there is no
> > problem there. in case the formating is lost, you can download it from
> > here: http://evox.ro/kernel_netdev_tc_protocol_802.3/
> > 
> > 
> > Thx for any help,
> > Doru Theodor Petrescu
> > CTO, Evox Solutions SRL
> > http://evox.ro/
> > 
> > 
> > 
> > for DEV in bond0.2199 bond1.2199 bond0.3000 bond1.3001 ; do
> > 
> > 
> >    tc qdisc  del dev $DEV root
> > 
> >    tc qdisc  add dev $DEV root handle 1: htb default 2
> >    tc class  add dev $DEV parent 1: classid 1:1 htb rate 930000kbit ceil
> > 930000kbit quantum 1600
> >    
> >    tc filter add dev $DEV parent 1: prio 5 protocol ip u32
> > # ==> 800:
> > 
> >    tc filter add dev $DEV parent 1: prio 1 protocol 0x0806 u32
> > # ==> 801:      protocol ARP
> >    tc filter add dev $DEV parent 1: prio 1 handle 801:0:7 protocol
> > 0x0806 u32  match u32 0 0 flowid 1:3
> > 
> >    tc filter add dev $DEV parent 1: prio 2 protocol 802_3 u32
> > # ==> 802:
> > 
> >    tc filter add dev $DEV parent 1: prio 6 protocol ip u32
> > # ==> 803:
> > 
> > 
> >    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:3  protocol
> > 802_3 u32 match u16 0 0 at 0 flowid 1:3 action mirred egress mirror dev
> > ifb1
> >    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:9  protocol
> > 802_3 u32 match ether src 01:00:0c:cc:cc:cd flowid 1:3 action mirred
> > egress mirror dev ifb1
> >    tc filter replace dev $DEV parent 1: prio 2 handle 802:0:10 protocol
> > 802_3 u32 match ether dst 01:00:0c:cc:cc:cd flowid 1:3 action mirred
> > egress mirror dev ifb1
> > 
> > done
> > 
> > 
> > # the 802_3 pachet filter:   
> > # 
> > # 802:0:3 should match ANY pachet of type 802_3 and mirror it to ifb1
> > # 802:0:9 and 802:0:10 should match any pachet with src/dst
> > 01:00:0c:cc:cc:cd and mirror it to ifb1
> > #
> > # however NOTHING is going to ifb1    try 'tcpdump -nltve -i ifb1'
> > # at the same time 'tcpdump -nltve -i bond1.2199 ether host
> > 0100.0ccc.cccd' will show about one pachet every second
> > # 
> > 
> > 
> > # at the same time the ARP filter works. you can mirror all ARP trafic
> > to IFB1 like this:
> > # tc filter replace dev $DEV parent 1: prio 1 handle 801:0:7 protocol
> > 0x0806 u32  match u32 0 0 flowid 1:3 action mirred egress mirror dev
> > ifb1
> 
> I think you want 802_2 to match STP frames. 802_3 is a dummy value
> for the old Novell IPX encapsulation




well, this is what TCPDUMP will print:
00:1d:45:d7:19:7a > 01:00:0c:cc:cc:cd, 802.3, length 64: LLC, dsap SNAP
(0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco
(0x00000c), pid Unknown (0x010b): Unnumbered, ui, Flags [Command],
length 50


it thinks it's 802.3 so this is why I used 802_3


I just tried your advice and created a filter with protocol 802_2 and
guess what ... IT WORKS !!!


so, don't use 'protocol 802.3' use 'protocol 802.2' in tc filters!

thanks everybody!
D.