lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2011 23:21:45 +0300 From: Doru Petrescu <pdoru@...x.ro> To: Stephen Hemminger <shemminger@...tta.com> Cc: ierdnah@...il.com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: tc match MAC destination - nothing matches on protocol 802_3 On Thu, 2011-06-16 at 08:51 -0700, Stephen Hemminger wrote: > On Thu, 16 Jun 2011 10:56:52 +0300 > Doru Theodor Petrescu <pdoru.kernel@...x.ro> wrote: > > > > > > > I updated my scripts to use the 'tc filter ... match ether src/dst' > > syntax. it really makes reading the script easier. thanks for the tip! > > > > however the problem persists. I changed the rule to match ANY pachet of > > type 802_3 and redirect it to ifb1. but nothing arrives on ifb1. > > > > I tried to redirect ARP pachets using 'protocol arp' filter and it works > > perfectly as expected. > > > > so at this point the problem is no longer 'how to match ethernet header' > > but rather 'how to match a pachet of type 802_3'. My feeling is that > > there is a bug somewhere in kernel where the 'protocol 802_3' matching > > happens. > > > > > > I attach part of the script I use to generate the filters and classes. I > > removed everything related to HTB and IP pachets because there is no > > problem there. in case the formating is lost, you can download it from > > here: http://evox.ro/kernel_netdev_tc_protocol_802.3/ > > > > > > Thx for any help, > > Doru Theodor Petrescu > > CTO, Evox Solutions SRL > > http://evox.ro/ > > > > > > > > for DEV in bond0.2199 bond1.2199 bond0.3000 bond1.3001 ; do > > > > > > tc qdisc del dev $DEV root > > > > tc qdisc add dev $DEV root handle 1: htb default 2 > > tc class add dev $DEV parent 1: classid 1:1 htb rate 930000kbit ceil > > 930000kbit quantum 1600 > > > > tc filter add dev $DEV parent 1: prio 5 protocol ip u32 > > # ==> 800: > > > > tc filter add dev $DEV parent 1: prio 1 protocol 0x0806 u32 > > # ==> 801: protocol ARP > > tc filter add dev $DEV parent 1: prio 1 handle 801:0:7 protocol > > 0x0806 u32 match u32 0 0 flowid 1:3 > > > > tc filter add dev $DEV parent 1: prio 2 protocol 802_3 u32 > > # ==> 802: > > > > tc filter add dev $DEV parent 1: prio 6 protocol ip u32 > > # ==> 803: > > > > > > tc filter replace dev $DEV parent 1: prio 2 handle 802:0:3 protocol > > 802_3 u32 match u16 0 0 at 0 flowid 1:3 action mirred egress mirror dev > > ifb1 > > tc filter replace dev $DEV parent 1: prio 2 handle 802:0:9 protocol > > 802_3 u32 match ether src 01:00:0c:cc:cc:cd flowid 1:3 action mirred > > egress mirror dev ifb1 > > tc filter replace dev $DEV parent 1: prio 2 handle 802:0:10 protocol > > 802_3 u32 match ether dst 01:00:0c:cc:cc:cd flowid 1:3 action mirred > > egress mirror dev ifb1 > > > > done > > > > > > # the 802_3 pachet filter: > > # > > # 802:0:3 should match ANY pachet of type 802_3 and mirror it to ifb1 > > # 802:0:9 and 802:0:10 should match any pachet with src/dst > > 01:00:0c:cc:cc:cd and mirror it to ifb1 > > # > > # however NOTHING is going to ifb1 try 'tcpdump -nltve -i ifb1' > > # at the same time 'tcpdump -nltve -i bond1.2199 ether host > > 0100.0ccc.cccd' will show about one pachet every second > > # > > > > > > # at the same time the ARP filter works. you can mirror all ARP trafic > > to IFB1 like this: > > # tc filter replace dev $DEV parent 1: prio 1 handle 801:0:7 protocol > > 0x0806 u32 match u32 0 0 flowid 1:3 action mirred egress mirror dev > > ifb1 > > I think you want 802_2 to match STP frames. 802_3 is a dummy value > for the old Novell IPX encapsulation well, this is what TCPDUMP will print: 00:1d:45:d7:19:7a > 01:00:0c:cc:cc:cd, 802.3, length 64: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid Unknown (0x010b): Unnumbered, ui, Flags [Command], length 50 it thinks it's 802.3 so this is why I used 802_3 I just tried your advice and created a filter with protocol 802_2 and guess what ... IT WORKS !!! so, don't use 'protocol 802.3' use 'protocol 802.2' in tc filters! thanks everybody! D. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists