[PATCH] Use nfmark as a key for u32 classifier

[PATCH] Use nfmark as a key for u32 classifier

[Catalin(ux aka Dino) BOIE]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 757 bytes --]

Hello!

I am glad to announce a patch for u32 to allow matches on nfmark.
The patch is non intrusive (few lines).

Why I did this? Because fw classifier cannot be used together with u32. 
For example, now, you cannot match a mark of 0x90 and a destination 
port of 80. I know you can do it with iptables to do the marking, but if 
you use Jamal actions to apply mark to policed packets, you need this.

All stuff can be found at http://kernel.umbrella.ro/ also.

Dave, please consider adding this patch.

Stephen, if Dave accepts the patch, please apply the iproute2 patch. Thank 
you.

Signed-off-by: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>

Thank you for you time.
---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

[-- Attachment #2: Type: TEXT/PLAIN, Size: 2343 bytes --]

--- iproute2-2.6.9/tc/f_u32.c.orig	2004-11-04 15:38:53.000000000 +0200
+++ iproute2-2.6.9/tc/f_u32.c	2004-11-05 12:23:44.000000000 +0200
@@ -7,6 +7,7 @@
  *		2 of the License, or (at your option) any later version.
  *
  * Authors:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
+ *		Match mark added by Catalin(ux aka Dino) BOIE <catab at umbrella.ro> [5 nov 2004]
  *
  */
 
@@ -33,7 +34,7 @@ static void explain(void)
 	fprintf(stderr, "or         u32 divisor DIVISOR\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "Where: SELECTOR := SAMPLE SAMPLE ...\n");
-	fprintf(stderr, "       SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} } SAMPLE_ARGS\n");
+	fprintf(stderr, "       SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} | mark } SAMPLE_ARGS\n");
 	fprintf(stderr, "       FILTERID := X:Y:Z\n");
 }
 
@@ -590,7 +591,27 @@ done:
 	return res;
 }
 
+static int parse_mark(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
+{
+	int res = -1;
+	int argc = *argc_p;
+	char **argv = *argv_p;
+
+	if (argc <= 0)
+		return -1;
 
+	if (get_u32(&res, *argv, 0)) {
+		fprintf(stderr, "Illegal \"mark\"\n");
+		return -1;
+	}
+	NEXT_ARG();
+	sel->mark = res;
+	res = 0;
+
+	*argc_p = argc;
+	*argv_p = argv;
+	return res;
+}
 
 static int parse_selector(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
 {
@@ -641,6 +662,12 @@ static int parse_selector(int *argc_p, c
 		res = parse_icmp(&argc, &argv, sel);
 		goto done;
 	}
+	if (matches(*argv, "mark") == 0) {
+		NEXT_ARG();
+		res = parse_mark(&argc, &argv, sel);
+		goto done;
+	}
+
 	return -1;
 
 done:
@@ -969,6 +996,8 @@ static int u32_print_opt(struct filter_u
 		struct tc_u32_key *key = sel->keys;
 		if (show_stats && NULL != pf)
 			fprintf(f, " (rule hit %llu success %llu)",pf->rcnt,pf->rhit);
+		if (sel->mark)
+			fprintf(f, " mark 0x%x", sel->mark);
 		if (sel->nkeys) {
 			for (i=0; i<sel->nkeys; i++, key++) {
 				fprintf(f, "\n  match %08x/%08x at %s%d",
--- iproute2-2.6.9/include/linux/pkt_cls.h.orig	2004-11-04 15:42:27.000000000 +0200
+++ iproute2-2.6.9/include/linux/pkt_cls.h	2004-11-05 11:12:22.000000000 +0200
@@ -208,6 +208,7 @@ struct tc_u32_sel
 	unsigned char		flags;
 	unsigned char		offshift;
 	unsigned char		nkeys;
+	__u32			mark;
 
 	__u16			offmask;
 	__u16			off;

[-- Attachment #3: Type: TEXT/PLAIN, Size: 1026 bytes --]

--- linux.orig/net/sched/cls_u32.c	2004-10-19 00:53:45.000000000 +0300
+++ linux/net/sched/cls_u32.c	2004-11-05 12:14:31.000000000 +0200
@@ -27,6 +27,7 @@
  *	JHS: We should remove the CONFIG_NET_CLS_IND from here
  *	eventually when the meta match extension is made available
  *
+ *	nfmark match added by Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
  */
 
 #include <asm/uaccess.h>
@@ -139,6 +140,11 @@ next_knode:
 		n->pf->rcnt +=1;
 		j = 0;
 #endif
+		if ((n->sel.mark > 0) && (n->sel.mark != skb->nfmark)) {
+			n = n->next;
+			goto next_knode;
+		}
+
 		for (i = n->sel.nkeys; i>0; i--, key++) {
 
 			if ((*(u32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
--- linux.orig/include/linux/pkt_cls.h	2004-10-19 00:53:07.000000000 +0300
+++ linux/include/linux/pkt_cls.h	2004-11-05 11:00:27.000000000 +0200
@@ -208,6 +208,7 @@ struct tc_u32_sel
 	unsigned char		flags;
 	unsigned char		offshift;
 	unsigned char		nkeys;
+	u32			mark;
 
 	__u16			offmask;
 	__u16			off;

[LARTC] [PATCH] Use nfmark as a key for u32 classifier

[Catalin(ux aka Dino) BOIE]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 757 bytes --]

Hello!

I am glad to announce a patch for u32 to allow matches on nfmark.
The patch is non intrusive (few lines).

Why I did this? Because fw classifier cannot be used together with u32. 
For example, now, you cannot match a mark of 0x90 and a destination 
port of 80. I know you can do it with iptables to do the marking, but if 
you use Jamal actions to apply mark to policed packets, you need this.

All stuff can be found at http://kernel.umbrella.ro/ also.

Dave, please consider adding this patch.

Stephen, if Dave accepts the patch, please apply the iproute2 patch. Thank 
you.

Signed-off-by: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>

Thank you for you time.
---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

[-- Attachment #2: Type: TEXT/PLAIN, Size: 2343 bytes --]

--- iproute2-2.6.9/tc/f_u32.c.orig	2004-11-04 15:38:53.000000000 +0200
+++ iproute2-2.6.9/tc/f_u32.c	2004-11-05 12:23:44.000000000 +0200
@@ -7,6 +7,7 @@
  *		2 of the License, or (at your option) any later version.
  *
  * Authors:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
+ *		Match mark added by Catalin(ux aka Dino) BOIE <catab at umbrella.ro> [5 nov 2004]
  *
  */
 
@@ -33,7 +34,7 @@ static void explain(void)
 	fprintf(stderr, "or         u32 divisor DIVISOR\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "Where: SELECTOR := SAMPLE SAMPLE ...\n");
-	fprintf(stderr, "       SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} } SAMPLE_ARGS\n");
+	fprintf(stderr, "       SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} | mark } SAMPLE_ARGS\n");
 	fprintf(stderr, "       FILTERID := X:Y:Z\n");
 }
 
@@ -590,7 +591,27 @@ done:
 	return res;
 }
 
+static int parse_mark(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
+{
+	int res = -1;
+	int argc = *argc_p;
+	char **argv = *argv_p;
+
+	if (argc <= 0)
+		return -1;
 
+	if (get_u32(&res, *argv, 0)) {
+		fprintf(stderr, "Illegal \"mark\"\n");
+		return -1;
+	}
+	NEXT_ARG();
+	sel->mark = res;
+	res = 0;
+
+	*argc_p = argc;
+	*argv_p = argv;
+	return res;
+}
 
 static int parse_selector(int *argc_p, char ***argv_p, struct tc_u32_sel *sel)
 {
@@ -641,6 +662,12 @@ static int parse_selector(int *argc_p, c
 		res = parse_icmp(&argc, &argv, sel);
 		goto done;
 	}
+	if (matches(*argv, "mark") == 0) {
+		NEXT_ARG();
+		res = parse_mark(&argc, &argv, sel);
+		goto done;
+	}
+
 	return -1;
 
 done:
@@ -969,6 +996,8 @@ static int u32_print_opt(struct filter_u
 		struct tc_u32_key *key = sel->keys;
 		if (show_stats && NULL != pf)
 			fprintf(f, " (rule hit %llu success %llu)",pf->rcnt,pf->rhit);
+		if (sel->mark)
+			fprintf(f, " mark 0x%x", sel->mark);
 		if (sel->nkeys) {
 			for (i=0; i<sel->nkeys; i++, key++) {
 				fprintf(f, "\n  match %08x/%08x at %s%d",
--- iproute2-2.6.9/include/linux/pkt_cls.h.orig	2004-11-04 15:42:27.000000000 +0200
+++ iproute2-2.6.9/include/linux/pkt_cls.h	2004-11-05 11:12:22.000000000 +0200
@@ -208,6 +208,7 @@ struct tc_u32_sel
 	unsigned char		flags;
 	unsigned char		offshift;
 	unsigned char		nkeys;
+	__u32			mark;
 
 	__u16			offmask;
 	__u16			off;

[-- Attachment #3: Type: TEXT/PLAIN, Size: 1026 bytes --]

--- linux.orig/net/sched/cls_u32.c	2004-10-19 00:53:45.000000000 +0300
+++ linux/net/sched/cls_u32.c	2004-11-05 12:14:31.000000000 +0200
@@ -27,6 +27,7 @@
  *	JHS: We should remove the CONFIG_NET_CLS_IND from here
  *	eventually when the meta match extension is made available
  *
+ *	nfmark match added by Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
  */
 
 #include <asm/uaccess.h>
@@ -139,6 +140,11 @@ next_knode:
 		n->pf->rcnt +=1;
 		j = 0;
 #endif
+		if ((n->sel.mark > 0) && (n->sel.mark != skb->nfmark)) {
+			n = n->next;
+			goto next_knode;
+		}
+
 		for (i = n->sel.nkeys; i>0; i--, key++) {
 
 			if ((*(u32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
--- linux.orig/include/linux/pkt_cls.h	2004-10-19 00:53:07.000000000 +0300
+++ linux/include/linux/pkt_cls.h	2004-11-05 11:00:27.000000000 +0200
@@ -208,6 +208,7 @@ struct tc_u32_sel
 	unsigned char		flags;
 	unsigned char		offshift;
 	unsigned char		nkeys;
+	u32			mark;
 
 	__u16			offmask;
 	__u16			off;

Re: [PATCH] Use nfmark as a key for u32 classifier

[jamal]

I think this is an ok midterm solution and should be applied.

One comment Catalin: Can you resend the patch  make this a selectable
choice via kconfig?
Eventually  - we should kill this + the indev choices on u32 and move it
up one so that we can have all filters capable of following filters from
other classifiers. As a matter of fact we already have this feature but
it is a little on the inefficient side at the moment.

cheers,
jamal 

On Fri, 2004-11-05 at 06:38, Catalin(ux aka Dino) BOIE wrote:
> Hello!
> 
> I am glad to announce a patch for u32 to allow matches on nfmark.
> The patch is non intrusive (few lines).
> 
> Why I did this? Because fw classifier cannot be used together with u32. 
> For example, now, you cannot match a mark of 0x90 and a destination 
> port of 80. I know you can do it with iptables to do the marking, but if 
> you use Jamal actions to apply mark to policed packets, you need this.
> 
> All stuff can be found at http://kernel.umbrella.ro/ also.
> 
> Dave, please consider adding this patch.
> 
> Stephen, if Dave accepts the patch, please apply the iproute2 patch. Thank 
> you.
> 
> Signed-off-by: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
> 
> Thank you for you time.
> ---
> Catalin(ux aka Dino) BOIE
> catab at deuroconsult.ro
> http://kernel.umbrella.ro/

Re: [PATCH] Use nfmark as a key for u32 classifier

[Catalin(ux aka Dino) BOIE]

> I think this is an ok midterm solution and should be applied.
Thanks.

> One comment Catalin: Can you resend the patch  make this a selectable
> choice via kconfig?
Yes, of course.
Also, as a bonus, I will add a mask. Something like this:
tc filter add dev eth0 protocol ip parent 1:0 prio 5 u32 \
 	match mark 0x0090 0xffff \
                           ^^^^^^
 	flowid 1:90

It's ok?

> Eventually  - we should kill this + the indev choices on u32 and move it
> up one so that we can have all filters capable of following filters from
> other classifiers. As a matter of fact we already have this feature but
> it is a little on the inefficient side at the moment.

It will be very good. It will add the missing flexibility.
I'll try to cook up something.

>
> cheers,
> jamal
>
> On Fri, 2004-11-05 at 06:38, Catalin(ux aka Dino) BOIE wrote:
>> Hello!
>>
>> I am glad to announce a patch for u32 to allow matches on nfmark.
>> The patch is non intrusive (few lines).
>>
>> Why I did this? Because fw classifier cannot be used together with u32.
>> For example, now, you cannot match a mark of 0x90 and a destination
>> port of 80. I know you can do it with iptables to do the marking, but if
>> you use Jamal actions to apply mark to policed packets, you need this.
>>
>> All stuff can be found at http://kernel.umbrella.ro/ also.
>>
>> Dave, please consider adding this patch.
>>
>> Stephen, if Dave accepts the patch, please apply the iproute2 patch. Thank
>> you.
>>
>> Signed-off-by: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
>>
>> Thank you for you time.
>> ---
>> Catalin(ux aka Dino) BOIE
>> catab at deuroconsult.ro
>> http://kernel.umbrella.ro/
>

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

[LARTC] Re: [PATCH] Use nfmark as a key for u32 classifier

[Catalin(ux aka Dino) BOIE]

> I think this is an ok midterm solution and should be applied.
Thanks.

> One comment Catalin: Can you resend the patch  make this a selectable
> choice via kconfig?
Yes, of course.
Also, as a bonus, I will add a mask. Something like this:
tc filter add dev eth0 protocol ip parent 1:0 prio 5 u32 \
 	match mark 0x0090 0xffff \
                           ^^^^^^
 	flowid 1:90

It's ok?

> Eventually  - we should kill this + the indev choices on u32 and move it
> up one so that we can have all filters capable of following filters from
> other classifiers. As a matter of fact we already have this feature but
> it is a little on the inefficient side at the moment.

It will be very good. It will add the missing flexibility.
I'll try to cook up something.

>
> cheers,
> jamal
>
> On Fri, 2004-11-05 at 06:38, Catalin(ux aka Dino) BOIE wrote:
>> Hello!
>>
>> I am glad to announce a patch for u32 to allow matches on nfmark.
>> The patch is non intrusive (few lines).
>>
>> Why I did this? Because fw classifier cannot be used together with u32.
>> For example, now, you cannot match a mark of 0x90 and a destination
>> port of 80. I know you can do it with iptables to do the marking, but if
>> you use Jamal actions to apply mark to policed packets, you need this.
>>
>> All stuff can be found at http://kernel.umbrella.ro/ also.
>>
>> Dave, please consider adding this patch.
>>
>> Stephen, if Dave accepts the patch, please apply the iproute2 patch. Thank
>> you.
>>
>> Signed-off-by: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
>>
>> Thank you for you time.
>> ---
>> Catalin(ux aka Dino) BOIE
>> catab at deuroconsult.ro
>> http://kernel.umbrella.ro/
>

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [PATCH] Use nfmark as a key for u32 classifier

[Patrick McHardy]

Catalin(ux aka Dino) BOIE wrote:

> Hello!
>
> I am glad to announce a patch for u32 to allow matches on nfmark.
> The patch is non intrusive (few lines).
>
>------------------------------------------------------------------------
>
> 			if ((*(u32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
>--- linux.orig/include/linux/pkt_cls.h	2004-10-19 00:53:07.000000000 +0300
>+++ linux/include/linux/pkt_cls.h	2004-11-05 11:00:27.000000000 +0200
>@@ -208,6 +208,7 @@ struct tc_u32_sel
> 	unsigned char		flags;
> 	unsigned char		offshift;
> 	unsigned char		nkeys;
>+	u32			mark;
>  
>
^^ Please put this at the end to avoid breaking compatibility
with old tc binaries. BTW, nfmark if unsigned long, which is
64 bit on 64-bit architectures. Probably not worth fixing though,
everyone else got it wrong too.

> 
> 	__u16			offmask;
> 	__u16			off;
>  
>

Regards
Patrick

[LARTC] Re: [PATCH] Use nfmark as a key for u32 classifier

[Patrick McHardy]

Catalin(ux aka Dino) BOIE wrote:

> Hello!
>
> I am glad to announce a patch for u32 to allow matches on nfmark.
> The patch is non intrusive (few lines).
>
>------------------------------------------------------------------------
>
> 			if ((*(u32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
>--- linux.orig/include/linux/pkt_cls.h	2004-10-19 00:53:07.000000000 +0300
>+++ linux/include/linux/pkt_cls.h	2004-11-05 11:00:27.000000000 +0200
>@@ -208,6 +208,7 @@ struct tc_u32_sel
> 	unsigned char		flags;
> 	unsigned char		offshift;
> 	unsigned char		nkeys;
>+	u32			mark;
>  
>
^^ Please put this at the end to avoid breaking compatibility
with old tc binaries. BTW, nfmark if unsigned long, which is
64 bit on 64-bit architectures. Probably not worth fixing though,
everyone else got it wrong too.

> 
> 	__u16			offmask;
> 	__u16			off;
>  
>

Regards
Patrick
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/