[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A36732C.8080903@itcare.pl>
Date: Mon, 15 Jun 2009 18:13:32 +0200
From: Paweł Staszewski <pstaszewski@...are.pl>
To: Jarek Poplawski <jarkao2@...il.com>
CC: Linux Network Development list <netdev@...r.kernel.org>,
Jamal Hadi Salim <hadi@...erus.ca>
Subject: Re: iproute2 action/policer question
Jarek Poplawski pisze:
> On 09-06-2009 22:10, Paweł Staszewski wrote:
>
>> Hello
>>
>> I ask this question here
>> Someone here know proper use of iproute actions/policers ?
>> i want to achive somethink like this
>>
>
> Hi,
> I'm not actions/policers expert but here are a few comments.
>
>
>> $TC qdisc del dev eth0 root
>>
>> $TC qdisc add dev eth0 root handle 1: hfsc default 10
>>
>>
>> $TC class add dev eth0 parent 1:0 classid 1:2 hfsc ls m2 1kbit ul m2
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:3 hfsc ls m2 1kbit ul m2
>> 10240kbit
>> $TC class add dev eth0 parent 1:0 classid 1:10 hfsc ls m2 1kbit ul m2
>> 10240kbit
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip src
>> 10.0.0.1 flowid 1:2
>> $TC qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 120
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src
>> 0/0 flowid 1:3
>> $TC qdisc add dev eth0 parent 1:3 handle 3: sfq perturb 120
>>
>>
>> #$TC filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src
>> 0/0 flowid 1:3 action ipt -j MARK --set-mark 0x555 drop
>>
>> $TC filter add dev eth0 parent 1: protocol ip prio 10 u32 \
>> match ip src 0/0 flowid 1:3 \
>> action ipt -j MARK --set-mark 1 \
>> action police rate 1kbit burst 1k drop
>>
>> So i want to MARK packet by use of action then pass packet to next
>> action and drop if exceed 1kbit
>>
>> This is only a sample but is not working
>>
>
> IMHO something like this should work. (I've checked it with a bit
> higher police rates/burst and htb.) I'm not sure you've properly
> checked the effects, because these stats below could be simply
> not updated etc.
>
>
>> tc -s -d filter show dev eth0
>> filter parent 1: protocol ip pref 2 u32
>> filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1
>> filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht
>> 800 bkt 0 flowid 1:2 (rule hit 7913 success 7803)
>> match 5ef6801c/ffffffff at 12 (success 7803 )
>> filter parent 1: protocol ip pref 10 u32
>> filter parent 1: protocol ip pref 10 u32 fh 801: ht divisor 1
>> filter parent 1: protocol ip pref 10 u32 fh 801::800 order 2048 key ht
>> 801 bkt 0 flowid 1:3 (rule hit 110 success 110)
>> match 00000000/00000000 at 12 (success 110 )
>> action order 1: tablename: mangle hook: NF_IP_POST_ROUTING
>> target MARK xset 0x1/0xffffffff
>> index 13 ref 1 bind 1 installed 407 sec used 2 sec
>> Action statistics:
>> Sent 42351 bytes 110 pkt (dropped 0, overlimits 0 requeues 0)
>> rate 0bit 0pps backlog 0b 0p requeues 0
>>
>> action order 2: police 0x4 rate 1000bit burst 1023b mtu 2Kb
>> action drop overhead 0b
>> ref 1 bind 1
>> Action statistics:
>> Sent 42351 bytes 110 pkt (dropped 0, overlimits 32 requeues 0)
>> rate 0bit 0pps backlog 0b 0p requeues 0
>>
>> iptables -L -n -v -t mangle
>>
>
> I don't know exactly the ipt action internals, so I could be wrong,
> but it seems it marks packets as expected, but it could be done out
> of the iptables chain so after these LOGs. Anyway, I managed to use it
> with fw filter to classify according to the mark.
>
>
>> Chain PREROUTING (policy ACCEPT 19M packets, 19G bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG all -- * * 0.0.0.0/0
>> 0.0.0.0/0 mark match 0x1 LOG flags 0 level 4
>>
>> Chain INPUT (policy ACCEPT 19M packets, 19G bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG all -- * * 0.0.0.0/0
>> 0.0.0.0/0 mark match 0x1 LOG flags 0 level 4
>>
>> Chain OUTPUT (policy ACCEPT 11M packets, 17G bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 11M packets, 17G bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 LOG all -- * * 0.0.0.0/0
>> 0.0.0.0/0 mark match 0x1 LOG flags 0 level 4
>>
>>
>>
>>
>>
>>
>> Also is there someone who knows which actions from iptables can be used
>> in iproute2 ?
>>
>
> According to iproute2/doc/actions/actions_general mangle targets
> should work; and you could also try (if it doesn't work then probably
> it can't be used...;-)
>
> But... I'm neither able to configure/compile it with the current
> iproute2/iptables, nor test it with distro's builds (Debian testing).
> After some checking I found iproute2 needs updating, because iptables
> changes API (xtables.h) virtually with every new version, so I don't
> even blame the ipt author or distro maintainer.
>
>
>> because command like this ios not working:
>> tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src
>> 0/0 flowid 1:3 action ipt -j LOG
>> failed to find target LOG
>>
>> bad action parsing
>> parse_action: bad value (3:ipt)!
>> Illegal "action"
>>
>>
>> iptables -t mangle -A FORWARD -j LOG
>> is working.
>> lsmod
>> Module Size Used by
>> ipt_LOG 4696 3
>> act_ipt 3776 1
>> ifb 3444 0
>> act_mirred 3328 0
>>
>>
>>
>> What is the clue of this
>> So i want to make filter rule on the end of some traffic management
>> based on iproute2 (this filter rule will be like default class so it
>> catch all unclassified traffic and LOG or MARK this traffic, and i can
>> know that somewhere in my net is unclassified ip address.)
>> Because in normal operation if you use only iproute2 you have default
>> class and you dont know what is going to this default class - this is
>> hard if you use hfsc because of default class that is always active and
>> matches all traffic from interface that root is attached.
>>
>
> I guess, after studying these iproute2 docs examples you should be
> able to do such tricks eg. with mirred and other actions even without
> ipt. Or you could ask authors for more docs...
>
>
Yes. i know that i can make mirred redirect action to some dummy
inteface and then i can log on this device using iptables "LOG" target
(and this is working for me now) but i was thinking about something
simpler/faster and without special copying packets to dummy or ifb device.
> Cheers,
> Jarek P.
>
> PS: the tc classifier maintainer added to Cc.
>
>
>
Regards
Paweł Staszewski
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists