- 论坛徽章:
- 0
|
[LARTC] Marking packets by mac addr using tc filter u32 match?Kristiadi Himawan
[email=lartc%40mailman.ds9a.nl?Subject=%5BLARTC%5D%20Marking%20packets%20by%20mac%20addr%20using%20tc%20filter%20u32%20match%3F&In-Reply-To=439E9FBC.4060701%40bbd.co.za]kristiadi_himawan at dtp.net.id [/email]
Tue Dec 13 11:50:19 CET 2005
So is there a technique to filter this kind of ARP traffic ?
17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
Anyone can help?
Michael Davidson wrote:
> Hi,
> Forgive me if I point out the obvious. Remember that ARP isn't an
> IP protocol it's a peer protocol to IP. In the tc filters shown below
> the protocol is IP and the negative offset works on a IP packet but I
> suspect that an ARP packet isn't accessible with this technique. If I
> ubstitute IP for ARP in the filter statement it isn't accepted.
>
> Regards Mike D.
>
> Kristiadi Himawan wrote:
>
>>
>> it's should be 0x0806 0xffff ?
>> or you have the example how to catch that kind of traffic
>>
>> gypsy wrote:
>>
>>> Kristiadi Himawan wrote:
>>>
>>>
>>>> It's also match to this kind of traffic ?
>>>>
>>>> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30
>>>> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1
>>>> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193
>>>> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17
>>>>
>>>
>>>
>>>
>>> No. The 'match u16 0x0800 0xffff' says to ignore ARP.
>>>
>>>
>>>
>>>> Lee Sanders wrote:
>>>>
>>>>
>>>>
>>>>> You haven't done a search on past posts...
>>>>>
>>>>> the u32 can be used to match any bit in the ip header. Before the
>>>>> ip header,
>>>>> there is a frame header. In that frame header you can find the src
>>>>> and dst
>>>>> mac address. You can trick the u32 filter in using the frame
>>>>> header if you
>>>>> use negative offsets.
>>>>>
>>>>> Decimal Offset Description
>>>>> -14: DST MAC, 6 bytes
>>>>> -8: SRC MAC, 6 bytes
>>>>> -2: Eth PROTO, 2 bytes, eg. ETH_P_IP
>>>>> 0: Protocol header (IP Header)
>>>>>
>>>>> Where PPPP is the Eth Proto Code (from
>>>>> linux/include/linux/if_ether.h):
>>>>> ETH_P_IP= IP = match u16 0x0800
>>>>> Where your MAC = M0M1M2M3M4M5
>>>>>
>>>>> Egress (match Dst MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF
>>>>> at -12 match
>>>>> u16 0xM0M1 0xFFFF at -14
>>>>>
>>>>> Ingress (match Src MAC):
>>>>> ... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4
>>>>> match u32
>>>>> 0xM0M1M2M3 0xFFFFFFFF at -8
>>>>>
>>>>> The below is simplistic but it works to demonstrate the above.
>>>>>
>>>>> tc qdisc add dev ppp0 root handle 1:0 htb default 20
>>>>> tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil
>>>>> 128kbit
>>>>>
>>>>> tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil
>>>>> 128kbit
>>>>> tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil
>>>>> 128kbit
>>>>>
>>>>> tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10
>>>>> tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10
>>>>>
>>>>> # My Laptop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:10
>>>>> # My Desktop
>>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16
>>>>> 0x0800
>>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3
>>>>> 0xFFFFFFFF
>>>>> at -8 flowid 1:20
>>>>> # change the MAC's of course.
>>>>>
>>>>> tc -s -d class show dev ppp0
>>>>> tc -s -d qdisc show dev ppp0
>>>>> tc -s -d filter show dev ppp0
>>>>>
>>>>> There you have it.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u3/100089/showart_2045068.html |
|
免费注册
发表于 2009-09-03 21:54