| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAE_-sd=Hfdhx1o8LmBB8eWanjLQEWe7UZ=SkqBP2wtJdDfvdzQ@mail.gmail.com> Date: Sun, 30 Aug 2020 17:57:46 +0300 From: Denis Gubin <denis.gubin@...il.com> To: netdev@...r.kernel.org Subject: tc filter create hash table and filter rule Good day! I want to understand how tc fitler works. Could you please give me some advice for it? I want to add and delete fitler rule by full handle but I can't do it. I need some article where I can read about tc utility. For instance I want create one filter rule and then delete it. The commands as follows: tc filter add dev eno5 parent ffff: pref 45000 handle 555:0:1 protocol all u32 match u8 0 0 action mirred egress mirror dev lo I get an error: Error: cls_u32: Handle specified hash table address mismatch. Ok. For started I'll create hash table with number 555 tc filter add dev eno5 parent ffff: pref 45000 protocol ip handle 555: u32 divisor 1 I don't get an error. Then I show output tc -s -d filter show dev eno5 parent ffff: filter protocol ip pref 45000 u32 chain 0 filter protocol ip pref 45000 u32 chain 0 fh 555: ht divisor 1 filter protocol ip pref 45000 u32 chain 0 fh 827: ht divisor 1 My question: Why do I see the third string "filter protocol ip pref 45000 u32 chain 0 fh 827: ht divisor 1" ? I think I should see only two strings, should I ? filter protocol ip pref 45000 u32 chain 0 filter protocol ip pref 45000 u32 chain 0 fh 555: ht divisor 1 Ok. Go ahead. I want to create filter rule with full handle 555:0:1 tc filter add dev eno5 parent ffff: pref 45000 handle 555:0:1 protocol ip u32 match u8 0 0 action mirred egress mirror dev lo I get error: Error: cls_u32: Handle specified hash table address mismatch. We have an error talking to the kernel, -1 Then I use 827 hash table number: tc filter add dev eno5 parent ffff: pref 45000 handle 827:0:1 protocol ip u32 match u8 0 0 action mirred egress mirror dev lo I don't get an error. I am showing the output below: filter protocol ip pref 45000 u32 chain 0 filter protocol ip pref 45000 u32 chain 0 fh 555: ht divisor 1 filter protocol ip pref 45000 u32 chain 0 fh 827: ht divisor 1 filter protocol ip pref 45000 u32 chain 0 fh 827::1 order 1 key ht 827 bkt 0 terminal flowid ??? not_in_hw (rule hit 0 success 0) match 00000000/00000000 at 0 (success 0 ) action order 1: mirred (Egress Mirror to device lo) pipe index 26 ref 1 bind 1 installed 7 sec used 7 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 My question: Why can't I create the filter rule with 555 hash number ? If I create filter rule with handle ::1 ... tc filter add dev eno5 parent ffff: pref 33000 handle ::1 protocol ip u32 match u8 0 0 action mirred egress mirror dev lo And I show the output tc -s -d filter show dev eno5 0 parent ffff: filter protocol ip pref 33000 u32 chain 0 filter protocol ip pref 33000 u32 chain 0 fh 829: ht divisor 1 filter protocol ip pref 33000 u32 chain 0 fh 829::1 order 1 key ht 829 bkt 0 terminal flowid ??? not_in_hw (rule hit 0 success 0) match 00000000/00000000 at 0 (success 0 ) action order 1: mirred (Egress Mirror to device lo) pipe index 29 ref 1 bind 1 installed 1 sec used 1 sec Action statistics: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 ... I'll can see that hash table with 829 number with ht divisor 1 has created yet and rule 829::1 created yet. But I want to control hash table number by myself. I don't want tc utility do it by itself. Can I control creating hash table number by myself ? Best regards, Denis Gubin
Powered by blists - more mailing lists