Discussion:
[LARTC] Marking packets by mac addr using tc filter u32 match?
(too old to reply)
Juan Pizarro
2005-12-10 01:07:43 UTC
Permalink
Hi
Is there a way of marking packets by mac address instead of ip or ports
using a "tc filter u32 match"?
I read somewhere that I could use the offset -8 and -14 to grab the mac
addresses but if I use anything lower than -8, for example -9, I get an
error.
I'm modifying the wondershaper script to cap the download speed by mac
address.

Any sugestions?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
gypsy
2005-12-10 17:12:18 UTC
Permalink
Post by Juan Pizarro
Hi
Is there a way of marking packets by mac address instead of ip or ports
using a "tc filter u32 match"?
I read somewhere that I could use the offset -8 and -14 to grab the mac
addresses but if I use anything lower than -8, for example -9, I get an
error.
I'm modifying the wondershaper script to cap the download speed by mac
address.
Any sugestions?
These work for me. Kernel 2.4.31, iproute2 2.6.10.
INGRESS:
tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800
0xffff at -2 match u16 0x4455 0xffff at -4 match u32 0x00112233
0xffffffff at -8 flowid 1:40

EGRESS:
tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800
0xffff at -2 match u32 0x22334455 0xffffffff at -12 match u16 0x0011
0xffff at -14 flowid 1:40
--
gypsy
b***@caramidaru.botosani.rdsnet.ro
2005-12-11 07:46:13 UTC
Permalink
This post might be inappropriate. Click to display it.
Lee Sanders
2005-12-11 08:28:24 UTC
Permalink
You haven't done a search on past posts...

the u32 can be used to match any bit in the ip header. Before the ip header,
there is a frame header. In that frame header you can find the src and dst
mac address. You can trick the u32 filter in using the frame header if you
use negative offsets.

Decimal Offset  Description
-14:    DST MAC, 6 bytes
-8:     SRC MAC, 6 bytes
-2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
0:      Protocol header (IP Header)

Where PPPP is the Eth Proto Code (from linux/include/linux/if_ether.h):
ETH_P_IP= IP = match u16 0x0800
Where your MAC = M0M1M2M3M4M5

Egress (match Dst MAC):
... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match
u16 0xM0M1 0xFFFF at -14

Ingress (match Src MAC):
... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32
0xM0M1M2M3 0xFFFFFFFF at -8

The below is simplistic but it works to demonstrate the above.

tc qdisc add dev ppp0 root handle 1:0 htb default 20
tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit

tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit

tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10

# My Laptop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
at -8 flowid 1:10
# My Desktop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  0xFFFFFFFF
at -8 flowid 1:20
# change the MAC's of course.

tc -s -d class show dev ppp0
tc -s -d qdisc show dev ppp0
tc -s -d filter show dev ppp0

There you have it.

:L
Kristiadi Himawan
2005-12-12 10:19:34 UTC
Permalink
It's also match to this kind of traffic ?

17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
Post by Lee Sanders
You haven't done a search on past posts...
the u32 can be used to match any bit in the ip header. Before the ip header,
there is a frame header. In that frame header you can find the src and dst
mac address. You can trick the u32 filter in using the frame header if you
use negative offsets.
Decimal Offset Description
-14: DST MAC, 6 bytes
-8: SRC MAC, 6 bytes
-2: Eth PROTO, 2 bytes, eg. ETH_P_IP
0: Protocol header (IP Header)
ETH_P_IP= IP = match u16 0x0800
Where your MAC = M0M1M2M3M4M5
... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match
u16 0xM0M1 0xFFFF at -14
... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32
0xM0M1M2M3 0xFFFFFFFF at -8
The below is simplistic but it works to demonstrate the above.
tc qdisc add dev ppp0 root handle 1:0 htb default 20
tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit
tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
# My Laptop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 0xFFFFFFFF
at -8 flowid 1:10
# My Desktop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 0xFFFFFFFF
at -8 flowid 1:20
# change the MAC's of course.
tc -s -d class show dev ppp0
tc -s -d qdisc show dev ppp0
tc -s -d filter show dev ppp0
There you have it.
:L
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
gypsy
2005-12-12 14:44:50 UTC
Permalink
Post by Kristiadi Himawan
It's also match to this kind of traffic ?
17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
No. The 'match u16 0x0800 0xffff' says to ignore ARP.
Post by Kristiadi Himawan
Post by Lee Sanders
You haven't done a search on past posts...
the u32 can be used to match any bit in the ip header. Before the ip header,
there is a frame header. In that frame header you can find the src and dst
mac address. You can trick the u32 filter in using the frame header if you
use negative offsets.
Decimal Offset Description
-14: DST MAC, 6 bytes
-8: SRC MAC, 6 bytes
-2: Eth PROTO, 2 bytes, eg. ETH_P_IP
0: Protocol header (IP Header)
ETH_P_IP= IP = match u16 0x0800
Where your MAC = M0M1M2M3M4M5
... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF at -12 match
u16 0xM0M1 0xFFFF at -14
... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32
0xM0M1M2M3 0xFFFFFFFF at -8
The below is simplistic but it works to demonstrate the above.
tc qdisc add dev ppp0 root handle 1:0 htb default 20
tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit
tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit
tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
# My Laptop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 0xFFFFFFFF
at -8 flowid 1:10
# My Desktop
tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800
0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 0xFFFFFFFF
at -8 flowid 1:20
# change the MAC's of course.
tc -s -d class show dev ppp0
tc -s -d qdisc show dev ppp0
tc -s -d filter show dev ppp0
There you have it.
:L
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
gypsy
2005-12-15 14:45:42 UTC
Permalink
Hi, i cannot access that page. Could you send it for me :)
http://yesican.chsoft.biz/lartc/arp.html

http://yesican.chsoft.biz/lartc/mac.html
http://yesican.chsoft.biz/lartc/index.html

(duron is my local copy)
--
gypsy
So is there a technique to filter this kind of ARP traffic ?
17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
Anyone can help?
http://duron/lartc/arp.html
# the ARP protocol is 2 bytes at -2
# the "0806" comes from linux/include/linux/if_ether.h
tc filter add dev $DEV parent 1: protocol ip prio 5 u32 \
match u16 0x0806 0xffff at -2 flowid 1:50
--
gypsy
Loading...