* [LARTC] u32 classifier
@ 2003-07-14 12:11 Andreani Luca
2007-06-02 9:19 ` terraja-based
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Andreani Luca @ 2003-07-14 12:11 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 772 bytes --]
Dear list,
I have some problems with u32 classifier. I use a board based on Motorola
MPC8245 processor (ppc based). I noticed that when the u32_classify function
(in /net/sched/cls_u32.c) is called, it returns an error. Making some
printk-based debug I found that the critical point in the code is the
following:
#if !defined(__i386__) && !defined(__mc68000__)
if ((unsigned long)ptr & 3)
return -1;
#endif
The problem is that when I have a packet to be forwarded the classification
fails at this point (return -1, default class). This is not the case when
the packet is generated locally. The question is: what is the meaning of
this code, what happens if this check is removed in architectures other then
i386 and mc68000?
Thank's in advance,
Luca Andreani.
[-- Attachment #2: Type: text/html, Size: 1568 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
@ 2007-06-02 9:19 ` terraja-based
2007-06-02 10:31 ` Afshin Tajvidi
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: terraja-based @ 2007-06-02 9:19 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 788 bytes --]
Hi folks...!!!
I´ve a problem that i did not solve it.
i want to limit the DOWNLOAD to my hosts (upstream traffic for the firewall)
using IMQ,
If i classify by PORT (source or destination) all seems to be fine,
but...BUT...if i want to restrict by IP addresss (internal IP address) i
can´t do it, because my hosts go to Internet toward the firewall using NAT,
so after NAT my IP address in Internet is not my internal address, because
the NAT acction change my source and internal IP address.
So...so...so...how can i limit the traffic by IP address using TC, IMQ,
U32..etc...?????
Can i modify some field in the TCP header with u32 filter?, i did read the
TCP RFC and nothing, i can´t guess how can solve it...
Please, HELPPPPPPP ME...!!!
--
terraja-based
[-- Attachment #1.2: Type: text/html, Size: 981 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
2007-06-02 9:19 ` terraja-based
@ 2007-06-02 10:31 ` Afshin Tajvidi
2007-06-02 11:46 ` VladSun
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Afshin Tajvidi @ 2007-06-02 10:31 UTC (permalink / raw)
To: lartc
Hi
Maybe you have to review your IMQ behavior and choose
CONFIG_IMQ_BEHAVIOR_AA or CONFIG_IMQ_BEHAVIOR_AB during the kernel
compilation (and not CONFIG_IMQ_BEHAVIOR_BA or CONFIG_IMQ_BEHAVIOR_BB)
Regards
Afshin
On Sat, 2007-06-02 at 06:19 -0300, terraja-based wrote:
> Hi folks...!!!
>
>
> I´ve a problem that i did not solve it.
> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
> firewall) using IMQ,
>
> If i classify by PORT (source or destination) all seems to be fine,
> but...BUT...if i want to restrict by IP addresss (internal IP address)
> i can´t do it, because my hosts go to Internet toward the firewall
> using NAT, so after NAT my IP address in Internet is not my internal
> address, because the NAT acction change my source and internal IP
> address.
>
> So...so...so...how can i limit the traffic by IP address using TC,
> IMQ, U32..etc...?????
>
> Can i modify some field in the TCP header with u32 filter?, i did read
> the TCP RFC and nothing, i can´t guess how can solve it...
> Please, HELPPPPPPP ME...!!!
>
>
> --
> terraja-based
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Afshin Tajvidi
IT Technical Architect
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
2007-06-02 9:19 ` terraja-based
2007-06-02 10:31 ` Afshin Tajvidi
@ 2007-06-02 11:46 ` VladSun
2007-06-06 13:19 ` Catalin Bucur
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: VladSun @ 2007-06-02 11:46 UTC (permalink / raw)
To: lartc
terraja-based написа:
> Hi folks...!!!
> I´ve a problem that i did not solve it.
> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
> firewall) using IMQ,
> If i classify by PORT (source or destination) all seems to be fine,
> but...BUT...if i want to restrict by IP addresss (internal IP address)
> i can´t do it, because my hosts go to Internet toward the firewall
> using NAT, so after NAT my IP address in Internet is not my internal
> address, because the NAT acction change my source and internal IP
> address.
> So...so...so...how can i limit the traffic by IP address using TC,
> IMQ, U32..etc...?????
> Can i modify some field in the TCP header with u32 filter?, i did read
> the TCP RFC and nothing, i can´t guess how can solve it...
> Please, HELPPPPPPP ME...!!!
>
>
> --
> terraja-based
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Use iptables MARK, and TC fw.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
` (2 preceding siblings ...)
2007-06-02 11:46 ` VladSun
@ 2007-06-06 13:19 ` Catalin Bucur
2007-06-06 13:50 ` VladSun
2007-06-06 14:00 ` Catalin Bucur
5 siblings, 0 replies; 7+ messages in thread
From: Catalin Bucur @ 2007-06-06 13:19 UTC (permalink / raw)
To: lartc
VladSun wrote:
> terraja-based написа:
>> Hi folks...!!!
>> I´ve a problem that i did not solve it.
>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
>> firewall) using IMQ,
>> If i classify by PORT (source or destination) all seems to be fine,
>> but...BUT...if i want to restrict by IP addresss (internal IP address)
>> i can´t do it, because my hosts go to Internet toward the firewall
>> using NAT, so after NAT my IP address in Internet is not my internal
>> address, because the NAT acction change my source and internal IP
>> address.
>> So...so...so...how can i limit the traffic by IP address using TC,
>> IMQ, U32..etc...?????
>> Can i modify some field in the TCP header with u32 filter?, i did read
>> the TCP RFC and nothing, i can´t guess how can solve it...
>>
> Use iptables MARK, and TC fw.
SCENARIO
====
tc utility, iproute2-ss061214
kernel 2.6.20-1.2952.fc6
Mark packets:
#iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1
Shape marked packets with tc fw:
#tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil
90Mbit prio 6
#tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5
#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2
Result in iptables seems ok:
Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes)
pkts bytes target prot opt in out source
destination
3827080 4103809298 MARK all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK set 0x1
Result in tc:
filter parent 11: protocol ip pref 49152 fw
filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2
So there are no matches in this filter, the other filters work fine (for
example: rule hit 5846685 success 5846685). The class is empty too:
class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil
90000Kbit burst 2850b cburst 12847b
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
What could be the problem?
Cheers,
--
Catalin Bucur mailto:cata@geniusnet.ro
NOC @ Genius Network SRL - Galati - Romania
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
` (3 preceding siblings ...)
2007-06-06 13:19 ` Catalin Bucur
@ 2007-06-06 13:50 ` VladSun
2007-06-06 14:00 ` Catalin Bucur
5 siblings, 0 replies; 7+ messages in thread
From: VladSun @ 2007-06-06 13:50 UTC (permalink / raw)
To: lartc
Catalin Bucur написа:
> VladSun wrote:
>
>> terraja-based написа:
>>
>>> Hi folks...!!!
>>> I´ve a problem that i did not solve it.
>>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
>>> firewall) using IMQ,
>>> If i classify by PORT (source or destination) all seems to be fine,
>>> but...BUT...if i want to restrict by IP addresss (internal IP address)
>>> i can´t do it, because my hosts go to Internet toward the firewall
>>> using NAT, so after NAT my IP address in Internet is not my internal
>>> address, because the NAT acction change my source and internal IP
>>> address.
>>> So...so...so...how can i limit the traffic by IP address using TC,
>>> IMQ, U32..etc...?????
>>> Can i modify some field in the TCP header with u32 filter?, i did read
>>> the TCP RFC and nothing, i can´t guess how can solve it...
>>>
>>>
>> Use iptables MARK, and TC fw.
>>
>
> SCENARIO
> ====
>
> tc utility, iproute2-ss061214
> kernel 2.6.20-1.2952.fc6
>
> Mark packets:
> #iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1
>
> Shape marked packets with tc fw:
> #tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil
> 90Mbit prio 6
> #tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5
> #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2
>
> Result in iptables seems ok:
> Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes)
> pkts bytes target prot opt in out source
> destination
> 3827080 4103809298 MARK all -- * eth1 0.0.0.0/0
> 0.0.0.0/0 MARK set 0x1
>
> Result in tc:
> filter parent 11: protocol ip pref 49152 fw
> filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2
>
> So there are no matches in this filter, the other filters work fine (for
> example: rule hit 5846685 success 5846685). The class is empty too:
> class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil
> 90000Kbit burst 2850b cburst 12847b
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> rate 0bit 0pps backlog 0b 0p requeues 0
>
> What could be the problem?
>
>
> Cheers,
>
11:1 is not your root class, right?
If so, try to apply the filter to root class - i.e. something like
tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [LARTC] u32 classifier
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
` (4 preceding siblings ...)
2007-06-06 13:50 ` VladSun
@ 2007-06-06 14:00 ` Catalin Bucur
5 siblings, 0 replies; 7+ messages in thread
From: Catalin Bucur @ 2007-06-06 14:00 UTC (permalink / raw)
To: lartc
VladSun wrote:
> 11:1 is not your root class, right?
>
> If so, try to apply the filter to root class - i.e. something like
>
> tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2
11:0 is my root class, and the line is (as I write below):
#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2
--
Catalin Bucur mailto:cata@geniusnet.ro
NOC @ Genius Network SRL - Galati - Romania
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-06-06 14:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-14 12:11 [LARTC] u32 classifier Andreani Luca
2007-06-02 9:19 ` terraja-based
2007-06-02 10:31 ` Afshin Tajvidi
2007-06-02 11:46 ` VladSun
2007-06-06 13:19 ` Catalin Bucur
2007-06-06 13:50 ` VladSun
2007-06-06 14:00 ` Catalin Bucur
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.