[LARTC] Marking packets by mac addr using tc filter u32 match?

[LARTC] Marking packets by mac addr using tc filter u32 match?

[Juan Pizarro]

Hi
Is there a way of marking packets by mac address instead of ip or ports 
using a "tc filter u32 match"?
I read somewhere that I could use the offset -8 and -14 to grab the mac 
addresses but if I use anything lower than -8, for example -9, I get an 
error.
I'm modifying the wondershaper script to cap the download speed by mac 
address.

Any sugestions?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[gypsy]

Juan Pizarro wrote:
> 
> Hi
> Is there a way of marking packets by mac address instead of ip or ports
> using a "tc filter u32 match"?
> I read somewhere that I could use the offset -8 and -14 to grab the mac
> addresses but if I use anything lower than -8, for example -9, I get an
> error.
> I'm modifying the wondershaper script to cap the download speed by mac
> address.
> 
> Any sugestions?

These work for me.  Kernel 2.4.31, iproute2 2.6.10.
INGRESS:
tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800
0xffff at -2 match u16 0x4455 0xffff at -4 match u32 0x00112233
0xffffffff at -8 flowid 1:40

EGRESS:
tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800
0xffff at -2 match u32 0x22334455 0xffffffff at -12 match u16 0x0011
0xffff at -14 flowid 1:40
--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[brick]

i don t know how to use tc for selecting the traffic by mac.
but i think i have a workaround sollution.
i made a htb script that limits the dwl by ip.
every ip can only work with a mac address. this i acommplised using 
iptables.
here s a rule to get you started.
iptables -A FORWARD -i eth1 -o eth0 -s xxx.xxx.xxx.xxx/32 -d 0.0.0.0/32\ 
--match mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT.
of course everythig elese is droped.
gl

On Fri, 9 Dec 2005, Juan Pizarro wrote:

> Hi
> Is there a way of marking packets by mac address instead of ip or ports using 
> a "tc filter u32 match"?
> I read somewhere that I could use the offset -8 and -14 to grab the mac 
> addresses but if I use anything lower than -8, for example -9, I get an 
> error.
> I'm modifying the wondershaper script to cap the download speed by mac 
> address.
>
> Any sugestions?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE! 
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[Lee Sanders]

You haven't done a search on past posts...

the u32 can be used to match any bit in the ip header. Before the ip header, 
there is a frame header. In that frame header you can find the src and dst 
mac address. You can trick the u32 filter in using the frame header if you 
use negative offsets.

Decimal Offset  Description
-14:    DST MAC, 6 bytes
-8:     SRC MAC, 6 bytes
-2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
0:      Protocol header (IP Header)

Where PPPP is the Eth Proto Code (from linux/include/linux/if_ether.h): 
ETH_P_IP= IP = match u16 0x0800
Where your MAC = M0M1M2M3M4M5

Egress (match Dst MAC):
... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match 
u16 0xM0M1 0xFFFF at -14

Ingress (match Src MAC):
... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 
0xM0M1M2M3 0xFFFFFFFF at -8

The below is simplistic but it works to demonstrate the above.

tc qdisc add dev ppp0 root handle 1:0 htb default 20
tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit

tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit

tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10

# My Laptop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF 
at -8 flowid 1:10
# My Desktop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF 
at -8 flowid 1:20
# change the MAC's of course.

tc -s -d class show dev ppp0
tc -s -d qdisc show dev ppp0
tc -s -d filter show dev ppp0

There you have it.

:L
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[Kristiadi Himawan]

It's also match to this kind of traffic ?

17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17


Lee Sanders wrote:

>You haven't done a search on past posts...
>
>the u32 can be used to match any bit in the ip header. Before the ip header, 
>there is a frame header. In that frame header you can find the src and dst 
>mac address. You can trick the u32 filter in using the frame header if you 
>use negative offsets.
>
>Decimal Offset  Description
>-14:    DST MAC, 6 bytes
>-8:     SRC MAC, 6 bytes
>-2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
>0:      Protocol header (IP Header)
>
>Where PPPP is the Eth Proto Code (from linux/include/linux/if_ether.h): 
>ETH_P_IP= IP = match u16 0x0800
>Where your MAC = M0M1M2M3M4M5
>
>Egress (match Dst MAC):
>... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match 
>u16 0xM0M1 0xFFFF at -14
>
>Ingress (match Src MAC):
>... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 
>0xM0M1M2M3 0xFFFFFFFF at -8
>
>The below is simplistic but it works to demonstrate the above.
>
>tc qdisc add dev ppp0 root handle 1:0 htb default 20
>tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
>
>tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
>tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit
>
>tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>
># My Laptop
>tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 
>0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF 
>at -8 flowid 1:10
># My Desktop
>tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 
>0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF 
>at -8 flowid 1:20
># change the MAC's of course.
>
>tc -s -d class show dev ppp0
>tc -s -d qdisc show dev ppp0
>tc -s -d filter show dev ppp0
>
>There you have it.
>
>:L
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>  
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[gypsy]

Kristiadi Himawan wrote:
> 
> It's also match to this kind of traffic ?
> 
> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17

No.  The 'match u16 0x0800 0xffff' says to ignore ARP.

> Lee Sanders wrote:
> 
> >You haven't done a search on past posts...
> >
> >the u32 can be used to match any bit in the ip header. Before the ip header,
> >there is a frame header. In that frame header you can find the src and dst
> >mac address. You can trick the u32 filter in using the frame header if you
> >use negative offsets.
> >
> >Decimal Offset  Description
> >-14:    DST MAC, 6 bytes
> >-8:     SRC MAC, 6 bytes
> >-2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
> >0:      Protocol header (IP Header)
> >
> >Where PPPP is the Eth Proto Code (from linux/include/linux/if_ether.h):
> >ETH_P_IP= IP = match u16 0x0800
> >Where your MAC = M0M1M2M3M4M5
> >
> >Egress (match Dst MAC):
> >... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match
> >u16 0xM0M1 0xFFFF at -14
> >
> >Ingress (match Src MAC):
> >... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32
> >0xM0M1M2M3 0xFFFFFFFF at -8
> >
> >The below is simplistic but it works to demonstrate the above.
> >
> >tc qdisc add dev ppp0 root handle 1:0 htb default 20
> >tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
> >
> >tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
> >tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit
> >
> >tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
> >tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
> >
> ># My Laptop
> >tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
> >0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
> >at -8 flowid 1:10
> ># My Desktop
> >tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
> >0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
> >at -8 flowid 1:20
> ># change the MAC's of course.
> >
> >tc -s -d class show dev ppp0
> >tc -s -d qdisc show dev ppp0
> >tc -s -d filter show dev ppp0
> >
> >There you have it.
> >
> >:L
> >_______________________________________________
> >LARTC mailing list
> >LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[Kristiadi Himawan]

it's should be 0x0806 0xffff ?
or you have the example how to catch that kind of traffic

gypsy wrote:

>Kristiadi Himawan wrote:
>  
>
>>It's also match to this kind of traffic ?
>>
>>17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
>>17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
>>17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
>>17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
>>    
>>
>
>No.  The 'match u16 0x0800 0xffff' says to ignore ARP.
>
>  
>
>>Lee Sanders wrote:
>>
>>    
>>
>>>You haven't done a search on past posts...
>>>
>>>the u32 can be used to match any bit in the ip header. Before the ip header,
>>>there is a frame header. In that frame header you can find the src and dst
>>>mac address. You can trick the u32 filter in using the frame header if you
>>>use negative offsets.
>>>
>>>Decimal Offset  Description
>>>-14:    DST MAC, 6 bytes
>>>-8:     SRC MAC, 6 bytes
>>>-2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
>>>0:      Protocol header (IP Header)
>>>
>>>Where PPPP is the Eth Proto Code (from linux/include/linux/if_ether.h):
>>>ETH_P_IP= IP = match u16 0x0800
>>>Where your MAC = M0M1M2M3M4M5
>>>
>>>Egress (match Dst MAC):
>>>... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match
>>>u16 0xM0M1 0xFFFF at -14
>>>
>>>Ingress (match Src MAC):
>>>... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32
>>>0xM0M1M2M3 0xFFFFFFFF at -8
>>>
>>>The below is simplistic but it works to demonstrate the above.
>>>
>>>tc qdisc add dev ppp0 root handle 1:0 htb default 20
>>>tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
>>>
>>>tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
>>>tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit
>>>
>>>tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>>>tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>>>
>>># My Laptop
>>>tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
>>>0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
>>>at -8 flowid 1:10
>>># My Desktop
>>>tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
>>>0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
>>>at -8 flowid 1:20
>>># change the MAC's of course.
>>>
>>>tc -s -d class show dev ppp0
>>>tc -s -d qdisc show dev ppp0
>>>tc -s -d filter show dev ppp0
>>>
>>>There you have it.
>>>
>>>:L
>>>_______________________________________________
>>>LARTC mailing list
>>>LARTC@mailman.ds9a.nl
>>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>
>>>
>>>      
>>>
>>_______________________________________________
>>LARTC mailing list
>>LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>    
>>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[Michael Davidson]

Hi,
    Forgive me if I point out the obvious.  Remember that ARP isn't an 
IP protocol  it's a peer protocol to IP. In the tc filters shown below 
the protocol is IP and the negative offset works on a IP packet but I 
suspect that an ARP packet isn't accessible with this technique. If I 
ubstitute IP for ARP in the filter statement it isn't accepted.

Regards Mike D.

Kristiadi Himawan wrote:

>
> it's should be 0x0806 0xffff ?
> or you have the example how to catch that kind of traffic
>
> gypsy wrote:
>
>> Kristiadi Himawan wrote:
>>  
>>
>>> It's also match to this kind of traffic ?
>>>
>>> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
>>> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
>>> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
>>> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
>>>   
>>
>>
>> No.  The 'match u16 0x0800 0xffff' says to ignore ARP.
>>
>>  
>>
>>> Lee Sanders wrote:
>>>
>>>   
>>>
>>>> You haven't done a search on past posts...
>>>>
>>>> the u32 can be used to match any bit in the ip header. Before the 
>>>> ip header,
>>>> there is a frame header. In that frame header you can find the src 
>>>> and dst
>>>> mac address. You can trick the u32 filter in using the frame header 
>>>> if you
>>>> use negative offsets.
>>>>
>>>> Decimal Offset  Description
>>>> -14:    DST MAC, 6 bytes
>>>> -8:     SRC MAC, 6 bytes
>>>> -2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
>>>> 0:      Protocol header (IP Header)
>>>>
>>>> Where PPPP is the Eth Proto Code (from 
>>>> linux/include/linux/if_ether.h):
>>>> ETH_P_IP= IP = match u16 0x0800
>>>> Where your MAC = M0M1M2M3M4M5
>>>>
>>>> Egress (match Dst MAC):
>>>> ... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF 
>>>> at -12 match
>>>> u16 0xM0M1 0xFFFF at -14
>>>>
>>>> Ingress (match Src MAC):
>>>> ... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 
>>>> match u32
>>>> 0xM0M1M2M3 0xFFFFFFFF at -8
>>>>
>>>> The below is simplistic but it works to demonstrate the above.
>>>>
>>>> tc qdisc add dev ppp0 root handle 1:0 htb default 20
>>>> tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 
>>>> 128kbit
>>>>
>>>> tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 
>>>> 128kbit
>>>> tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 
>>>> 128kbit
>>>>
>>>> tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>>>> tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>>>>
>>>> # My Laptop
>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>> 0x0800
>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>> 0xFFFFFFFF
>>>> at -8 flowid 1:10
>>>> # My Desktop
>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>> 0x0800
>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>> 0xFFFFFFFF
>>>> at -8 flowid 1:20
>>>> # change the MAC's of course.
>>>>
>>>> tc -s -d class show dev ppp0
>>>> tc -s -d qdisc show dev ppp0
>>>> tc -s -d filter show dev ppp0
>>>>
>>>> There you have it.
>>>>
>>>> :L
>>>> _______________________________________________
>>>> LARTC mailing list
>>>> LARTC@mailman.ds9a.nl
>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>
>>>>
>>>>     
>>>
>>> _______________________________________________
>>> LARTC mailing list
>>> LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>   
>>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

-- 

 Regards Mike.

 Michael Davidson
 Barone Budge & Dominick
 Email: michael@bbd.co.za
 Office: +27 11 532 8380
 BB&D :  +27 11 532 8300
 Fax:    +27 11 532 8400
 Mobile: +27 82 650 5707
 Home:   +27 11 452 4423	

 This e-mail is confidential and subject to the disclaimer published at
 http://www.bbd.co.za


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[Kristiadi Himawan]

So is there a technique to filter this kind of ARP traffic ? 

17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17

Anyone can help?


Michael Davidson wrote:

> Hi,
>    Forgive me if I point out the obvious.  Remember that ARP isn't an 
> IP protocol  it's a peer protocol to IP. In the tc filters shown below 
> the protocol is IP and the negative offset works on a IP packet but I 
> suspect that an ARP packet isn't accessible with this technique. If I 
> ubstitute IP for ARP in the filter statement it isn't accepted.
>
> Regards Mike D.
>
> Kristiadi Himawan wrote:
>
>>
>> it's should be 0x0806 0xffff ?
>> or you have the example how to catch that kind of traffic
>>
>> gypsy wrote:
>>
>>> Kristiadi Himawan wrote:
>>>  
>>>
>>>> It's also match to this kind of traffic ?
>>>>
>>>> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
>>>> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
>>>> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
>>>> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
>>>>   
>>>
>>>
>>>
>>> No.  The 'match u16 0x0800 0xffff' says to ignore ARP.
>>>
>>>  
>>>
>>>> Lee Sanders wrote:
>>>>
>>>>  
>>>>
>>>>> You haven't done a search on past posts...
>>>>>
>>>>> the u32 can be used to match any bit in the ip header. Before the 
>>>>> ip header,
>>>>> there is a frame header. In that frame header you can find the src 
>>>>> and dst
>>>>> mac address. You can trick the u32 filter in using the frame 
>>>>> header if you
>>>>> use negative offsets.
>>>>>
>>>>> Decimal Offset  Description
>>>>> -14:    DST MAC, 6 bytes
>>>>> -8:     SRC MAC, 6 bytes
>>>>> -2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
>>>>> 0:      Protocol header (IP Header)
>>>>>
>>>>> Where PPPP is the Eth Proto Code (from 
>>>>> linux/include/linux/if_ether.h):
>>>>> ETH_P_IP= IP = match u16 0x0800
>>>>> Where your MAC = M0M1M2M3M4M5
>>>>>
>>>>> Egress (match Dst MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF 
>>>>> at -12 match
>>>>> u16 0xM0M1 0xFFFF at -14
>>>>>
>>>>> Ingress (match Src MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 
>>>>> match u32
>>>>> 0xM0M1M2M3 0xFFFFFFFF at -8
>>>>>
>>>>> The below is simplistic but it works to demonstrate the above.
>>>>>
>>>>> tc qdisc add dev ppp0 root handle 1:0 htb default 20
>>>>> tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 
>>>>> 128kbit
>>>>>
>>>>> tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 
>>>>> 128kbit
>>>>> tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 
>>>>> 128kbit
>>>>>
>>>>> tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>>>>> tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>>>>>
>>>>> # My Laptop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:10
>>>>> # My Desktop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:20
>>>>> # change the MAC's of course.
>>>>>
>>>>> tc -s -d class show dev ppp0
>>>>> tc -s -d qdisc show dev ppp0
>>>>> tc -s -d filter show dev ppp0
>>>>>
>>>>> There you have it.
>>>>>
>>>>> :L
>>>>> _______________________________________________
>>>>> LARTC mailing list
>>>>> LARTC@mailman.ds9a.nl
>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>>
>>>>>
>>>>>     
>>>>
>>>>
>>>> _______________________________________________
>>>> LARTC mailing list
>>>> LARTC@mailman.ds9a.nl
>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>   
>>>
>>>
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[gypsy]

Kristiadi Himawan wrote:
> 
> So is there a technique to filter this kind of ARP traffic ?
> 
> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
> 
> Anyone can help?

This works for me:
http://duron/lartc/arp.html

> # Example that matches ARP (a big "thank you" to Martin Brown for this!):
> # the ARP protocol is 2 bytes at -2
> # the "0806" comes from linux/include/linux/if_ether.h
> tc filter add dev $DEV parent 1: protocol ip prio 5 u32 \
>    match u16 0x0806 0xffff at -2 flowid 1:50

--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Marking packets by mac addr using tc filter u32 match?

[gypsy]

Kristiadi Himawan wrote:
> 
> Hi, i cannot access that page. Could you send it for me :)

http://yesican.chsoft.biz/lartc/arp.html

http://yesican.chsoft.biz/lartc/mac.html
http://yesican.chsoft.biz/lartc/index.html

(duron is my local copy)
--
gypsy
 
> gypsy wrote:
> 
> >Kristiadi Himawan wrote:
> >
> >
> >>So is there a technique to filter this kind of ARP traffic ?
> >>
> >>17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
> >>17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
> >>17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
> >>17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
> >>
> >>Anyone can help?
> >>
> >>
> >
> >This works for me:
> >http://duron/lartc/arp.html
> >
> >
> >
> >># Example that matches ARP (a big "thank you" to Martin Brown for this!):
> >># the ARP protocol is 2 bytes at -2
> >># the "0806" comes from linux/include/linux/if_ether.h
> >>tc filter add dev $DEV parent 1: protocol ip prio 5 u32 \
> >>   match u16 0x0806 0xffff at -2 flowid 1:50
> >>
> >>
> >
> >--
> >gypsy
> >
> >
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc