[LARTC] u32 classifier

[LARTC] u32 classifier

[Andreani Luca]

[-- Attachment #1: Type: text/plain, Size: 772 bytes --]

Dear list,

I have some problems with u32 classifier. I use a board based on Motorola
MPC8245 processor (ppc based). I noticed that when the u32_classify function

(in /net/sched/cls_u32.c) is called, it returns an error. Making some
printk-based debug I found that the critical point in the code is the
following:

#if !defined(__i386__) && !defined(__mc68000__)
	if ((unsigned long)ptr & 3)
		return -1;
#endif

The problem is that when I have a packet to be forwarded the classification
fails at this point (return -1, default class). This is not the case when
the packet is generated locally. The question is: what is the meaning of
this code, what happens if this check is removed in architectures other then
i386 and mc68000?

Thank's in advance,

Luca Andreani.
		

[-- Attachment #2: Type: text/html, Size: 1568 bytes --]

[LARTC] u32 classifier

[terraja-based]

[-- Attachment #1.1: Type: text/plain, Size: 788 bytes --]

Hi folks...!!!


I´ve a problem that i did not solve it.
i want to limit the DOWNLOAD to my hosts (upstream traffic for the firewall)
using IMQ,

If i classify by PORT (source or destination) all seems to be fine,
but...BUT...if i want to restrict by IP addresss (internal IP address) i
can´t do it, because my hosts go to Internet toward the firewall using NAT,
so after NAT my IP address in Internet is not my internal address, because
the NAT acction change my source and internal IP address.

So...so...so...how can i limit the traffic by IP address using TC, IMQ,
U32..etc...?????

Can i modify some field in the TCP header with u32 filter?, i did read the
TCP RFC and nothing, i can´t guess how can solve it...
Please, HELPPPPPPP ME...!!!


-- 
terraja-based

[-- Attachment #1.2: Type: text/html, Size: 981 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] u32 classifier

[Afshin Tajvidi]

Hi

Maybe you have to review your IMQ behavior and choose
CONFIG_IMQ_BEHAVIOR_AA or CONFIG_IMQ_BEHAVIOR_AB during the kernel
compilation (and not CONFIG_IMQ_BEHAVIOR_BA or CONFIG_IMQ_BEHAVIOR_BB)

Regards
Afshin

On Sat, 2007-06-02 at 06:19 -0300, terraja-based wrote:
> Hi folks...!!!
>  
>  
> I´ve a problem that i did not solve it.
> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
> firewall) using IMQ, 
>  
> If i classify by PORT (source or destination) all seems to be fine,
> but...BUT...if i want to restrict by IP addresss (internal IP address)
> i can´t do it, because my hosts go to Internet toward the firewall
> using NAT, so after NAT my IP address in Internet is not my internal
> address, because the NAT acction change my source and internal IP
> address.
>  
> So...so...so...how can i limit the traffic by IP address using TC,
> IMQ, U32..etc...?????
>  
> Can i modify some field in the TCP header with u32 filter?, i did read
> the TCP RFC and nothing, i can´t guess how can solve it...
> Please, HELPPPPPPP ME...!!!
> 
> 
> -- 
> terraja-based 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-- 
Afshin Tajvidi
IT Technical Architect

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] u32 classifier

[VladSun]

terraja-based написа:
> Hi folks...!!!
> I´ve a problem that i did not solve it.
> i want to limit the DOWNLOAD to my hosts (upstream traffic for the 
> firewall) using IMQ,
> If i classify by PORT (source or destination) all seems to be fine, 
> but...BUT...if i want to restrict by IP addresss (internal IP address) 
> i can´t do it, because my hosts go to Internet toward the firewall 
> using NAT, so after NAT my IP address in Internet is not my internal 
> address, because the NAT acction change my source and internal IP 
> address.
> So...so...so...how can i limit the traffic by IP address using TC, 
> IMQ, U32..etc...?????
> Can i modify some field in the TCP header with u32 filter?, i did read 
> the TCP RFC and nothing, i can´t guess how can solve it...
> Please, HELPPPPPPP ME...!!!
>
>
> -- 
> terraja-based
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>   
Use iptables MARK, and TC fw.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] u32 classifier

[Catalin Bucur]

VladSun wrote:
> terraja-based написа:
>> Hi folks...!!!
>> I´ve a problem that i did not solve it.
>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
>> firewall) using IMQ,
>> If i classify by PORT (source or destination) all seems to be fine,
>> but...BUT...if i want to restrict by IP addresss (internal IP address)
>> i can´t do it, because my hosts go to Internet toward the firewall
>> using NAT, so after NAT my IP address in Internet is not my internal
>> address, because the NAT acction change my source and internal IP
>> address.
>> So...so...so...how can i limit the traffic by IP address using TC,
>> IMQ, U32..etc...?????
>> Can i modify some field in the TCP header with u32 filter?, i did read
>> the TCP RFC and nothing, i can´t guess how can solve it...
>>   
> Use iptables MARK, and TC fw.

SCENARIO
====

tc utility, iproute2-ss061214
kernel 2.6.20-1.2952.fc6

Mark packets:
#iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1

Shape marked packets with tc fw:
#tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil
90Mbit prio 6
#tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5
#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2

Result in iptables seems ok:
Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes)
    pkts      bytes target     prot opt in     out     source
    destination
 3827080 4103809298 MARK       all  --  *      eth1    0.0.0.0/0
    0.0.0.0/0           MARK set 0x1

Result in tc:
filter parent 11: protocol ip pref 49152 fw
filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2

So there are no matches in this filter, the other filters work fine (for
example: rule hit 5846685 success 5846685). The class is empty too:
class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil
90000Kbit burst 2850b cburst 12847b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

What could be the problem?


Cheers,
-- 
Catalin Bucur      mailto:cata@geniusnet.ro
NOC @ Genius Network SRL - Galati - Romania
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] u32 classifier

[VladSun]

Catalin Bucur написа:
> VladSun wrote:
>   
>> terraja-based написа:
>>     
>>> Hi folks...!!!
>>> I´ve a problem that i did not solve it.
>>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
>>> firewall) using IMQ,
>>> If i classify by PORT (source or destination) all seems to be fine,
>>> but...BUT...if i want to restrict by IP addresss (internal IP address)
>>> i can´t do it, because my hosts go to Internet toward the firewall
>>> using NAT, so after NAT my IP address in Internet is not my internal
>>> address, because the NAT acction change my source and internal IP
>>> address.
>>> So...so...so...how can i limit the traffic by IP address using TC,
>>> IMQ, U32..etc...?????
>>> Can i modify some field in the TCP header with u32 filter?, i did read
>>> the TCP RFC and nothing, i can´t guess how can solve it...
>>>   
>>>       
>> Use iptables MARK, and TC fw.
>>     
>
> SCENARIO
> ====
>
> tc utility, iproute2-ss061214
> kernel 2.6.20-1.2952.fc6
>
> Mark packets:
> #iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1
>
> Shape marked packets with tc fw:
> #tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil
> 90Mbit prio 6
> #tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5
> #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2
>
> Result in iptables seems ok:
> Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes)
>     pkts      bytes target     prot opt in     out     source
>     destination
>  3827080 4103809298 MARK       all  --  *      eth1    0.0.0.0/0
>     0.0.0.0/0           MARK set 0x1
>
> Result in tc:
> filter parent 11: protocol ip pref 49152 fw
> filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2
>
> So there are no matches in this filter, the other filters work fine (for
> example: rule hit 5846685 success 5846685). The class is empty too:
> class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil
> 90000Kbit burst 2850b cburst 12847b
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>
> What could be the problem?
>
>
> Cheers,
>   
11:1 is not your root class, right?

If so, try to apply the filter to root class - i.e. something like

tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] u32 classifier

[Catalin Bucur]

VladSun wrote:
 > 11:1 is not your root class, right?
> 
> If so, try to apply the filter to root class - i.e. something like
> 
> tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2

11:0 is my root class, and the line is (as I write below):
#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2

-- 
Catalin Bucur      mailto:cata@geniusnet.ro
NOC @ Genius Network SRL - Galati - Romania
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc