Chinaunix首页 | 论坛 | 博客
  • 博客访问: 265428
  • 博文数量: 38
  • 博客积分: 2539
  • 博客等级: 少校
  • 技术积分: 443
  • 用 户 组: 普通用户
  • 注册时间: 2009-07-01 11:19
文章分类

全部博文(38)

文章存档

2011年(4)

2010年(4)

2009年(30)

我的朋友

分类: LINUX

2009-09-03 21:54:10

[LARTC] Marking packets by mac addr using tc filter u32 match?

Kristiadi Himawan
Tue Dec 13 11:50:19 CET 2005

  • Previous message:
  • Next message:
  • Messages sorted by:

So is there a technique to filter this kind of ARP traffic ? 

17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17

Anyone can help?


Michael Davidson wrote:

> Hi,
>    Forgive me if I point out the obvious.  Remember that ARP isn't an 
> IP protocol  it's a peer protocol to IP. In the tc filters shown below 
> the protocol is IP and the negative offset works on a IP packet but I 
> suspect that an ARP packet isn't accessible with this technique. If I 
> ubstitute IP for ARP in the filter statement it isn't accepted.
>
> Regards Mike D.
>
> Kristiadi Himawan wrote:
>
>>
>> it's should be 0x0806 0xffff ?
>> or you have the example how to catch that kind of traffic
>>
>> gypsy wrote:
>>
>>> Kristiadi Himawan wrote:
>>>  
>>>
>>>> It's also match to this kind of traffic ?
>>>>
>>>> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
>>>> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
>>>> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
>>>> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
>>>>   
>>>
>>>
>>>
>>> No.  The 'match u16 0x0800 0xffff' says to ignore ARP.
>>>
>>>  
>>>
>>>> Lee Sanders wrote:
>>>>
>>>>  
>>>>
>>>>> You haven't done a search on past posts...
>>>>>
>>>>> the u32 can be used to match any bit in the ip header. Before the 
>>>>> ip header,
>>>>> there is a frame header. In that frame header you can find the src 
>>>>> and dst
>>>>> mac address. You can trick the u32 filter in using the frame 
>>>>> header if you
>>>>> use negative offsets.
>>>>>
>>>>> Decimal Offset  Description
>>>>> -14:    DST MAC, 6 bytes
>>>>> -8:     SRC MAC, 6 bytes
>>>>> -2:     Eth PROTO, 2 bytes, eg. ETH_P_IP
>>>>> 0:      Protocol header (IP Header)
>>>>>
>>>>> Where PPPP is the Eth Proto Code (from 
>>>>> linux/include/linux/if_ether.h):
>>>>> ETH_P_IP= IP = match u16 0x0800
>>>>> Where your MAC = M0M1M2M3M4M5
>>>>>
>>>>> Egress (match Dst MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF 
>>>>> at -12 match
>>>>> u16 0xM0M1 0xFFFF at -14
>>>>>
>>>>> Ingress (match Src MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 
>>>>> match u32
>>>>> 0xM0M1M2M3 0xFFFFFFFF at -8
>>>>>
>>>>> The below is simplistic but it works to demonstrate the above.
>>>>>
>>>>> tc qdisc add dev ppp0 root handle 1:0 htb default 20
>>>>> tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 
>>>>> 128kbit
>>>>>
>>>>> tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 
>>>>> 128kbit
>>>>> tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 
>>>>> 128kbit
>>>>>
>>>>> tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>>>>> tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>>>>>
>>>>> # My Laptop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:10
>>>>> # My Desktop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3  
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:20
>>>>> # change the MAC's of course.
>>>>>
>>>>> tc -s -d class show dev ppp0
>>>>> tc -s -d qdisc show dev ppp0
>>>>> tc -s -d filter show dev ppp0
>>>>>
>>>>> There you have it.
阅读(2349) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~