[PATCH] NOTRACK only untracked
There are modification of NOTRACK netfilter target to avoid creating new
connection entries for packets, unrelated to any existing connection.
Best way to make new target (clone NOTRACK to NOTRACK-NEW and fix - to mix
both), but I have enough motivation to this work ;)
PS There are not same patch with [EMAIL PROTECTED] Verifyed and
fixed. ( net-2.6.25)
PPS Idea about u32 was bad. Sorry.
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
diff -pruN net-2.6.orig/net/netfilter/Kconfig
net-2.6.fixed/net/netfilter/Kconfig
--- net-2.6.orig/net/netfilter/Kconfig 2008-01-30 20:17:08.0 +0200
+++ net-2.6.fixed/net/netfilter/Kconfig 2008-02-02 14:37:22.0 +0200
@@ -375,6 +375,12 @@ config NETFILTER_XT_TARGET_NOTRACK
If you want to compile it as a module, say M here and read
file:Documentation/kbuild/modules.txt. If unsure, say `N'.
+config NETFILTER_XT_TARGET_NOTRACK_NEW
+ bool NOTRACK safe (only new)
+ depends on NETFILTER_XT_TARGET_NOTRACK
+ help
+ Slow but safe way to NOTRACK only new/untracked connections.
+
config NETFILTER_XT_TARGET_RATEEST
tristate 'RATEEST target support'
depends on NETFILTER_XTABLES
diff -pruN net-2.6.orig/net/netfilter/nf_conntrack_core.c
net-2.6.fixed/net/netfilter/nf_conntrack_core.c
--- net-2.6.orig/net/netfilter/nf_conntrack_core.c 2008-01-30
20:17:08.0 +0200
+++ net-2.6.fixed/net/netfilter/nf_conntrack_core.c 2008-02-02
14:22:53.0 +0200
@@ -587,6 +587,9 @@ resolve_normal_ct(struct sk_buff *skb,
struct nf_conntrack_tuple tuple;
struct nf_conntrack_tuple_hash *h;
struct nf_conn *ct;
+#ifdef CONFIG_NETFILTER_XT_TARGET_NOTRACK_NEW
+ struct nf_conntrack_expect *exp;
+#endif
if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
dataoff, l3num, protonum, tuple, l3proto,
@@ -598,6 +601,17 @@ resolve_normal_ct(struct sk_buff *skb,
/* look for tuple match */
h = nf_conntrack_find_get(tuple);
if (!h) {
+#ifdef CONFIG_NETFILTER_XT_TARGET_NOTRACK_NEW
+ if(skb-nfctinfo == IP_CT_NEW) {
+ exp = nf_ct_expect_find_get(tuple);
+ if(!exp){
+ skb-nfct = nf_conntrack_untracked.ct_general;
+ nf_conntrack_get(skb-nfct);
+ return NULL;
+ }
+ nf_ct_expect_put(exp);
+ }
+#endif
h = init_conntrack(tuple, l3proto, l4proto, skb, dataoff);
if (!h)
return NULL;
@@ -675,6 +689,12 @@ nf_conntrack_in(int pf, unsigned int hoo
ct = resolve_normal_ct(skb, dataoff, pf, protonum, l3proto, l4proto,
set_reply, ctinfo);
if (!ct) {
+#ifdef CONFIG_NETFILTER_XT_TARGET_NOTRACK_NEW
+ if(skb-nfct == nf_conntrack_untracked.ct_general){
+ NF_CT_STAT_INC_ATOMIC(ignore);
+ return NF_ACCEPT;
+ }
+#endif
/* Not valid part of a connection */
NF_CT_STAT_INC_ATOMIC(invalid);
return NF_ACCEPT;
diff -pruN net-2.6.orig/net/netfilter/xt_NOTRACK.c
net-2.6.fixed/net/netfilter/xt_NOTRACK.c
--- net-2.6.orig/net/netfilter/xt_NOTRACK.c 2008-01-30 20:17:08.0
+0200
+++ net-2.6.fixed/net/netfilter/xt_NOTRACK.c2008-02-02 14:22:02.0
+0200
@@ -21,6 +21,9 @@ notrack_tg(struct sk_buff *skb, const st
if (skb-nfct != NULL)
return XT_CONTINUE;
+#ifdef CONFIG_NETFILTER_XT_TARGET_NOTRACK_NEW
+ skb-nfctinfo = IP_CT_NEW;
+#else
/* Attach fake conntrack entry.
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
@@ -28,6 +31,7 @@ notrack_tg(struct sk_buff *skb, const st
skb-nfct = nf_conntrack_untracked.ct_general;
skb-nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb-nfct);
+#endif
return XT_CONTINUE;
}
[PATCH] cls_u32 u32_classify()
Currently fine u32 hashkey ... at ... not work with relative offsets.
There are simpliest fix to use eat.
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
diff -pruN linux-2.6.orig/net/sched/cls_u32.c linux-2.6/net/sched/cls_u32.c
--- linux-2.6.orig/net/sched/cls_u32.c 2008-01-29 23:02:50.0 +0200
+++ linux-2.6/net/sched/cls_u32.c 2008-01-30 10:56:11.0 +0200
@@ -181,11 +181,13 @@ check_terminal:
ht = n-ht_down;
sel = 0;
- if (ht-divisor)
- sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
- if (!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
+ if
(!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT))) {
+ if (!ht-divisor)
+ goto next_ht;
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
goto next_ht;
+ }
if (n-sel.flags(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
off2 = n-sel.off + 3;
@@ -198,6 +200,9 @@ check_terminal:
off2 = 0;
}
+ if (ht-divisor)
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
+
if (ptr skb_tail_pointer(skb))
goto next_ht;
}
[PATCH] cls_u32 u32_classify() ++
Currently fine u32 hashkey ... at ... not work with relative offsets.
There are simpliest fix to use eat.
(sorry, i'm idiot)
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
diff -pruN linux-2.6.orig/net/sched/cls_u32.c linux-2.6/net/sched/cls_u32.c
--- linux-2.6.orig/net/sched/cls_u32.c 2008-01-29 23:02:50.0 +0200
+++ linux-2.6/net/sched/cls_u32.c 2008-01-30 11:37:31.0 +0200
@@ -181,11 +181,13 @@ check_terminal:
ht = n-ht_down;
sel = 0;
- if (ht-divisor)
- sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
- if (!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
+ if
(!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT))) {
+ if (!ht-divisor)
+ goto next_ht;
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
goto next_ht;
+ }
if (n-sel.flags(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
off2 = n-sel.off + 3;
@@ -198,6 +200,9 @@ check_terminal:
off2 = 0;
}
+ if (ht-divisor ptr+n-sel.hoff+4 skb_tail_pointer(skb))
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
+
if (ptr skb_tail_pointer(skb))
goto next_ht;
}
[PATCH] cls_u32 u32_classify() +
Currently fine u32 hashkey ... at ... not work with relative offsets.
There are simpliest fix to use eat.
(sorry, v2)
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
diff -pruN linux-2.6.orig/net/sched/cls_u32.c linux-2.6/net/sched/cls_u32.c
--- linux-2.6.orig/net/sched/cls_u32.c 2008-01-29 23:02:50.0 +0200
+++ linux-2.6/net/sched/cls_u32.c 2008-01-30 11:28:00.0 +0200
@@ -181,11 +181,13 @@ check_terminal:
ht = n-ht_down;
sel = 0;
- if (ht-divisor)
- sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
- if (!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
+ if
(!(n-sel.flags(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT))) {
+ if (!ht-divisor)
+ goto next_ht;
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
goto next_ht;
+ }
if (n-sel.flags(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
off2 = n-sel.off + 3;
@@ -198,6 +200,9 @@ check_terminal:
off2 = 0;
}
+ if (ht-divisor ptr+n-sel.hoff skb_tail_pointer(skb))
+ sel =
ht-divisoru32_hash_fold(*(u32*)(ptr+n-sel.hoff), n-sel,n-fshift);
+
if (ptr skb_tail_pointer(skb))
goto next_ht;
}
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
Too many pixels to smoke. Sorry. May be so? ;)) (if undefined classid not overwrited by random value tc_classify) Even tc say to classid=0 - --- 1/net/sched/sch_ingress.c 2008-01-12 17:27:05.0 +0200 +++ 2/net/sched/sch_ingress.c 2008-01-22 22:09:32.0 +0200 @@ -136,6 +136,9 @@ struct ingress_qdisc_data *p = PRIV(sch); struct tcf_result res; int result; +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK + res.classid=0; +#endif D2PRINTK(ingress_enqueue(skb %p,sch %p,[qdisc %p])\n, skb, sch, p); result = tc_classify(skb, p-filter_list, res); @@ -169,6 +172,11 @@ sch-bstats.packets++; sch-bstats.bytes += skb-len; #endif +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK + if(res.classid) + skb-mark = (skb-mark(res.classid16))|(skb-tc_index=TC_H_MIN(res.classid)); +// skb-mark=res.classid; /* or just so */ +#endif return result; } jamal wrote: [skipped] -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
Too many pixels to smoke. Sorry. May be so? ;)) (if undefined classid not overwrited by random value tc_classify) Even tc say to classid=0 - --- 1/net/sched/sch_ingress.c 2008-01-12 17:27:05.0 +0200 +++ 2/net/sched/sch_ingress.c 2008-01-22 22:09:32.0 +0200 @@ -136,6 +136,9 @@ struct ingress_qdisc_data *p = PRIV(sch); struct tcf_result res; int result; +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK + res.classid=0; +#endif D2PRINTK(ingress_enqueue(skb %p,sch %p,[qdisc %p])\n, skb, sch, p); result = tc_classify(skb, p-filter_list, res); @@ -169,6 +172,11 @@ sch-bstats.packets++; sch-bstats.bytes += skb-len; #endif +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK + if(res.classid) + skb-mark = (skb-mark(res.classid16))|(skb-tc_index=TC_H_MIN(res.classid)); +// skb-mark=res.classid; /* or just so */ +#endif return result; } jamal wrote: On Mon, 2008-14-01 at 20:20 -0200, Dzianis Kahanovich wrote: jamal wrote: [..] Did that make sense? After current #endif - may be. I am afraid that would be counter to expected behavior. Default is meant to apply when no value has been defined. Mark of 0 for example doesnt mean default. Let me demonstrate with the ifdefs again with some arbitrary example: - #ifdef CONFIG_NET_CLS_ACT ..classify ... .. action 1 sets mark to 0x1 .. action 2 checks some state and conditionally let action 3 execute .. action 3 sets mark to 0 if OK is returned set tc_index based on classid #else // no actions compiled ..classify jamal suggests: set default mark and tc_index for ingress here #endif // mahatma wants to set default for mark and tcindex here // so it works for both actions and none-action code Lets look at the case of actions compiled in: I have defined my policies (in user space) so that the mark can be set to either 0 or 0x depending on some runtime state. Your default (kernel) code is now going to overide my policy - which is bad. Even in the case of OK being returned, it is wrong to set tc_index; unfortunately, we dont have an action that can set tc_index today; if we did, we would need to remove that setting. You other intent was to set the value of mark based on the value of classid. You _can do that today already_ with no changes via a policy in user space. You suggested to do an ifdef so you wont have to type in the line which says how to mark, and i said that was a bad idea (we need less ifdefs not more). For the case of no actions compiled in: nothing can write into the values of either tcindex or mark after classification (on ingress), so it is ok to override. If you did this for egress as well, that would be wrong because it is expected that some qdiscs may set or utilize these metadatum. I am not sure if it made more sense this time? What result are with: 1) no filters? 2) 1 filter only, with action continue? Please refer to above verbosity and see if it all makes better sense. cheers, jamal -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
jamal wrote: I in doubts only about action continue. To and/or behaviour one of best usage are (example): I dont think you should be touching the action part at all primarily because actions can set the mark after classification. Yes, I only do it by inertia after #define tc_index mark. I not understand why tc_index changed in this place. 1) there are ingress 2) there are OK action. Are tc_index will not changed after: tc filter add dev eth0 parent : ... flowid 1:1 action continue ? In general - are tc_index useful in ingress? (may be tc_index used in [nf]mark-style, but even in netfilter it feature migrate - IMHO, may be I time to time do not see in needed place) Sorry, I just change focus from existing tc_index=... to common behaviour ;) [...] Please refer to what i said above; if what i said still doesnt make sense i can create (the simple) patch. A bit vague... sorry... -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
jamal wrote: May be I am mix in mind other code (multi-class loop/walking) and this code. I am deprogramming... ;) Sorry, I just change focus from existing tc_index=... to common behaviour ;) [...] Please refer to what i said above; if what i said still doesnt make sense i can create (the simple) patch. A bit vague... sorry... I mean: #ifdef CONFIG_NET_CLS_ACT leave this part alone which already sets tc_index ... #else ...set tc_index and mark here ... #endif And when we have a metadata action - we remove setting of tc_index from #ifdef CONFIG_NET_CLS_ACT Did that make sense? After current #endif - may be. What result are with: 1) no filters? 2) 1 filter only, with action continue? -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
I in doubts only about action continue. To and/or behaviour one of best usage are (example): # set bit 2 of mark to 0 (mark0xfd|0) and continue tc filter add ... prio 1 ... flowid fd:0 action continue # continue tc filter add ... prio 2 ... - in current ingress_enqueue() code IMHO case TC_ACT_OK: will not reached for action continue. I use old (mark=...) solution only by this. I think, skb-mark = (skb-mark(res.classid16))|TC_H_MIN(res.classid); must be in the end of ingress_enqueue() before return result. And not depended to NET_CLS_ACT. But while not test it. Or this: --- #ifdef CONFIG_NET_SCH_INGRESS_TC2MARK #ifdef CONFIG_NET_CLS_ACT skb-mark = (skb-mark(res.classid16))|TC_H_MIN(res.classid); #else skb-mark = res.classid; #endif #endif return result; } jamal wrote: While I compose filter, I check flag ($TC_INDEX2MARK), tells me are patch applied or no. If no - I use usual -j MARK --set-mark, else I use classid to change mark. All in ingress only. For example: tc filter add dev eth0 parent : protocol ip u32 ... action ipt -j MARK 0x10 are cname to: tc filter add dev eth0 parent : protocol ip u32 ... flowid :10 I thought you were doing something like this (to achieve your policy): -- major=1 minor=12 mark=`expr $major + $minor` # tc qdisc add dev XXX ingress tc filter add dev XXX parent : protocol ip prio 5 \ u32 blah bleh \ flowid $major:$minor action \ ipt -j mark --set-mark $mark --- - it use less code/modules and, in many cases, may be single/main goal to ingress usage - pre-marking packets. That is true and you would also have one less line in your policy; as an example in above the line ipt -j mark --set-mark $mark would be unnecessary; however, all the other lines in the policy setting _will be necessary_. And this + the fact there are many other values/shapes the default policy could take is essentially whats bothering me. In any case, scanning the current code it seems mark is no longer considered a netfilter-only metadatum - so it may not be semantically as obscene as i felt earlier; Can you pick something simpler for policy? example set the mark to whatever tc_index gets set? If you still could write the metadata action, we could use it to override mark, tc_index etc in addition. cheers, jamal -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
Patrick McHardy wrote: --- linux-2.6.23-gentoo-r2/net/sched/sch_ingress.c +++ linux-2.6.23-gentoo-r2.fixed/net/sched/sch_ingress.c @@ -161,2 +161,5 @@ skb-tc_index = TC_H_MIN(res.classid); +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK +skb-mark = (skb-mark(res.classid16))|TC_H_MIN(res.classid); +#endif default: Behaviour like this shouldn't depend on compile-time options. Also I want to move it outside of NET_CLS_ACT dependence, but unsure in behaviour understanding without NET_CLS_ACT. But there are reduse code. -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
jamal wrote:
To classid x:y = mark=markx|y (classid :y = -j MARK --set-mark y, etc).
--- linux-2.6.23-gentoo-r2/net/sched/Kconfig
+++ linux-2.6.23-gentoo-r2.fixed/net/sched/Kconfig
@@ -222,6 +222,16 @@
[..]
skb-tc_index = TC_H_MIN(res.classid);
+#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK
+ skb-mark =
(skb-mark(res.classid16))|TC_H_MIN(res.classid);
+#endif
default:
Please either use ipt action and netfilter fwmarker for this activity or
Sorry. There are only unsuccessful attempt to popularize my working solution.
Really I just use #define tc_index mark (in skbuff.h or sch_ingress.c) or
something like this:
--- linux-2.6.23-gentoo-r2/net/sched/Kconfig
+++ linux-2.6.23-gentoo-r2.fixed/net/sched/Kconfig
@@ -222,6 +222,16 @@
To compile this code as a module, choose M here: the
module will be called sch_ingress.
+config NET_SCH_INGRESS_TC2MARK
+ bool ingress tc_index - mark
+ depends on NET_SCH_INGRESS NET_CLS_ACT
+ ---help---
+ This enables access to mark value via tc_index alias
+ in ingress and unify this values (usage example: set flowid :2
+ in ingress and use it value as mark in any way - netfilter, etc).
+
+ But tc_index may be undefined - use flowid :0.
+
comment Classification
config NET_CLS
--- linux-2.6.23-gentoo-r2/net/sched/sch_ingress.c
+++ linux-2.6.23-gentoo-r2.fixed/net/sched/sch_ingress.c
@@ -18,6 +18,9 @@
#include net/netlink.h
#include net/pkt_sched.h
+#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK
+#define tc_index mark
+#endif
#undef DEBUG_INGRESS
create a new action.
If you choose the later (example because you want to dynamically compute
the mark), look at net/sched/act_simple.c to start from and i can help
you if you have any questions.
If you want to use ipt action, the syntax would be something like:
---
tc qdisc add dev XXX ingress
tc filter add dev XXX parent : protocol ip prio 5 \
u32 blah bleh \
flowid 1:12 action ipt -j mark --set-mark 13
Yes, I do so. But there are simple:
---
if [[ $[TC_INDEX2MARK] == 0 ]] ; then
c=${c//action ipt -j MARK --set-mark /flowid :}
fi
$c
---
Simpliest:
--- linux-2.6.23-gentoo-r2/net/sched/sch_ingress.c
+++ linux-2.6.23-gentoo-r2.fixed/net/sched/sch_ingress.c
@@ -222,6 +222,16 @@
- skb-tc_index = TC_H_MIN(res.classid);
+ skb-tc_index = TC_H_MIN(mark=res.classid);
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2.6.23+] ingress classify to [nf]mark
jamal wrote:
Yes, I do so. But there are simple:
---
if [[ $[TC_INDEX2MARK] == 0 ]] ; then
==1
c=${c//action ipt -j MARK --set-mark /flowid :}
c=${c//action ipt -j MARK --set-mark 0x/flowid :}
fi
$c
---
I didnt quiet understand what you have above. Does your script above
read the flowid and sets the MARK to some dynamic value based on flowid?
if thats what you are doing - it sounds sensible and much more clever
than what is posted. And it doesnt require any kernel patch.
I suggest just to use classid to toggle mark/nfmark in ingress. I see, classid
are near unused in ingress (no classes, etc) and for many solutions classid in
ingress filters may be used only for nfmarking. Also I suggest to use both
parts (major minor) of classid - major may be and value, minor - or. In
current place it may be useful only for (if, unsure) overriting netfilter
raw table marks, but if it will be moved outside current CLS_ACT block -
tc filter rules may operate mark bits more useful.
About script example:
While I compose filter, I check flag ($TC_INDEX2MARK), tells me are patch
applied or no. If no - I use usual -j MARK --set-mark, else I use classid to
change mark. All in ingress only. For example:
tc filter add dev eth0 parent : protocol ip u32 ... action ipt -j MARK 0x10
are cname to:
tc filter add dev eth0 parent : protocol ip u32 ... flowid :10
- it use less code/modules and, in many cases, may be single/main goal to
ingress usage - pre-marking packets.
Simpliest:
--- linux-2.6.23-gentoo-r2/net/sched/sch_ingress.c
+++ linux-2.6.23-gentoo-r2.fixed/net/sched/sch_ingress.c
@@ -222,6 +222,16 @@
- skb-tc_index = TC_H_MIN(res.classid);
+ skb-tc_index = TC_H_MIN(mark=res.classid);
Just write a metaset action and you can have all sorts of policies on
what tc_index, mark etc you want. It is something thats needed in any
case.
When we did tc_index it made sense then because it was for tc to use
some default policy. Enforcing policies in the kernel is not the best
thing to do; as an example you want to specify the polciy for mark to
be: classid major16|minor. I am sure you have good reasons; however,
for the next person who wants to set it it major8|minor for their own
good reason, theres conflict.
My offer to help you is still open.
OK, I understand there are not too transparent for future usage, but I see too
few applications for ingress/classid will conflicting with.
Thanx, I will try to understand metaset actions, but I think it will be not
so elegant for my usage then my #define tc_index mark in the beginning of
sch_ingress.c. Or may be I will use and/or behaviour, but now #define
tc_index mark works on my router many month (I may use also -j MARK - with
one flag in my script, but there are lot of unuseful code).
This code (ingress/classifying[/CLS_ACT]) are executing everywhen and I
suggest changes from none (changing target variable from tc_index to mark)
to few and/or atomic operations for useful functionality. With
mark=res.classid only (I may use self, but not suggest to kernel) it even
less code then default (no TC_H_MIN) and fully satisfy to many goals (traffic
marking without netfilter, but compatible with it).
--
WBR,
Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2.6.23+] ingress classify to [nf]mark
To classid x:y = mark=markx|y (classid :y = -j MARK --set-mark y, etc). --- linux-2.6.23-gentoo-r2/net/sched/Kconfig +++ linux-2.6.23-gentoo-r2.fixed/net/sched/Kconfig @@ -222,6 +222,16 @@ To compile this code as a module, choose M here: the module will be called sch_ingress. +config NET_SCH_INGRESS_TC2MARK + bool ingress classify - mark + depends on NET_SCH_INGRESS NET_CLS_ACT + ---help--- + This enables access to mark value via classid + Example: set tc filter ... flowid|classid 1:2 + eq netfilter mark mark=mark1|2 + + But classid may be undefined (?) - use flowid :0. + comment Classification config NET_CLS --- linux-2.6.23-gentoo-r2/net/sched/sch_ingress.c +++ linux-2.6.23-gentoo-r2.fixed/net/sched/sch_ingress.c @@ -161,2 +161,5 @@ skb-tc_index = TC_H_MIN(res.classid); +#ifdef CONFIG_NET_SCH_INGRESS_TC2MARK + skb-mark = (skb-mark(res.classid16))|TC_H_MIN(res.classid); +#endif default: -- WBR, Denis Kaganovich, [EMAIL PROTECTED] http://mahatma.bspu.unibel.by -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
