lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 15 Jun 2009 18:13:32 +0200
From:	Paweł Staszewski <pstaszewski@...are.pl>
To:	Jarek Poplawski <jarkao2@...il.com>
CC:	Linux Network Development list <netdev@...r.kernel.org>,
	Jamal Hadi Salim <hadi@...erus.ca>
Subject: Re: iproute2 action/policer question

Jarek Poplawski pisze:
> On 09-06-2009 22:10, Paweł Staszewski wrote:
>   
>> Hello
>>
>> I ask this question here
>> Someone here know proper use of iproute actions/policers ?
>> i want to achive somethink like this
>>     
>
> Hi,
> I'm not actions/policers expert but here are a few comments.
>
>   
>> $TC qdisc del dev eth0 root
>>
>> $TC qdisc add dev eth0 root handle 1: hfsc default 10
>>
>>
>> $TC class add dev eth0 parent 1:0 classid 1:2 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:3 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:10 hfsc ls m2 1kbit ul m2 
>> 10240kbit
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip src 
>> 10.0.0.1 flowid 1:2
>> $TC qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 120
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3
>> $TC qdisc add dev eth0 parent 1:3 handle 3: sfq perturb 120
>>
>>
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3 action ipt -j MARK --set-mark 0x555 drop
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 10 u32 \
>>   match ip src 0/0 flowid 1:3 \
>>   action ipt -j MARK --set-mark 1 \
>>   action police rate 1kbit burst 1k drop
>>
>> So i want to MARK packet by use of action then pass packet to next 
>> action and drop if exceed 1kbit
>>
>> This is only a sample but is not working
>>     
>
> IMHO something like this should work. (I've checked it with a bit
> higher police rates/burst and htb.) I'm not sure you've properly
> checked the effects, because these stats below could be simply
> not updated etc.
>
>   
>> tc -s -d filter show dev eth0
>> filter parent 1: protocol ip pref 2 u32
>> filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
>> filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 
>> 800 bkt 0 flowid 1:2  (rule hit 7913 success 7803)
>>   match 5ef6801c/ffffffff at 12 (success 7803 )
>> filter parent 1: protocol ip pref 10 u32
>> filter parent 1: protocol ip pref 10 u32 fh 801: ht divisor 1
>> filter parent 1: protocol ip pref 10 u32 fh 801::800 order 2048 key ht 
>> 801 bkt 0 flowid 1:3  (rule hit 110 success 110)
>>   match 00000000/00000000 at 12 (success 110 )
>>         action order 1: tablename: mangle  hook: NF_IP_POST_ROUTING
>>         target MARK xset 0x1/0xffffffff
>>         index 13 ref 1 bind 1 installed 407 sec used 2 sec
>>         Action statistics:
>>         Sent 42351 bytes 110 pkt (dropped 0, overlimits 0 requeues 0)
>>         rate 0bit 0pps backlog 0b 0p requeues 0
>>
>>         action order 2:  police 0x4 rate 1000bit burst 1023b mtu 2Kb 
>> action drop overhead 0b
>> ref 1 bind 1
>>         Action statistics:
>>         Sent 42351 bytes 110 pkt (dropped 0, overlimits 32 requeues 0)
>>         rate 0bit 0pps backlog 0b 0p requeues 0
>>
>> iptables -L -n -v -t mangle
>>     
>
> I don't know exactly the ipt action internals, so I could be wrong,
> but it seems it marks packets as expected, but it could be done out
> of the iptables chain so after these LOGs. Anyway, I managed to use it
> with fw filter to classify according to the mark.
>
>   
>> Chain PREROUTING (policy ACCEPT 19M packets, 19G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>> Chain INPUT (policy ACCEPT 19M packets, 19G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>> Chain OUTPUT (policy ACCEPT 11M packets, 17G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 11M packets, 17G bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     0     0 LOG        all  --  *      *       0.0.0.0/0            
>> 0.0.0.0/0           mark match 0x1 LOG flags 0 level 4
>>
>>
>>
>>
>>
>>
>> Also is there someone who knows which actions from iptables can be used 
>> in iproute2 ?
>>     
>
> According to iproute2/doc/actions/actions_general mangle targets
> should work; and you could also try (if it doesn't work then probably
> it can't be used...;-)
>
> But... I'm neither able to configure/compile it with the current
> iproute2/iptables, nor test it with distro's builds (Debian testing).
> After some checking I found iproute2 needs updating, because iptables
> changes API (xtables.h) virtually with every new version, so I don't
> even blame the ipt author or distro maintainer.
>
>   
>> because command like this ios not working:
>> tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 
>> 0/0 flowid 1:3 action ipt -j LOG
>>  failed to find target LOG
>>
>> bad action parsing
>> parse_action: bad value (3:ipt)!
>> Illegal "action"
>>
>>
>> iptables -t mangle -A FORWARD -j LOG
>> is working.
>> lsmod
>> Module                  Size  Used by
>> ipt_LOG                 4696  3
>> act_ipt                 3776  1
>> ifb                     3444  0
>> act_mirred              3328  0
>>
>>
>>
>> What is the clue of this
>> So i want to make filter rule on the end of some traffic management 
>> based on iproute2 (this filter rule will be like default class so it 
>> catch all unclassified traffic and LOG or MARK this traffic, and i can 
>> know that somewhere in my net is unclassified ip address.)
>> Because in normal operation if you use only iproute2 you have default 
>> class and you dont know what is going to this default class - this is 
>> hard if you use hfsc because of default class that is always active and 
>> matches all traffic from interface that root is attached.
>>     
>
> I guess, after studying these iproute2 docs examples you should be
> able to do such tricks eg. with mirred and other actions even without
> ipt. Or you could ask authors for more docs...
>
>   
Yes. i know that i can make mirred redirect action to some dummy 
inteface and then i can log on this device using iptables "LOG" target 
(and this is working for me now) but i was thinking about something 
simpler/faster and without special copying packets to dummy or ifb device.



> Cheers,
> Jarek P.
>
> PS: the tc classifier maintainer added to Cc.
>
>
>   


Regards
Paweł Staszewski
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists