On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim <j...@mojatatu.com> wrote:
> On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote:
> > tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip
> > protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action
>
> Syntax is a little more convoluted than that ;->. Try:
>
> sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \
> match ip protocol 17 0xff \
> match ip dport 1900 0xffff \
> flowid 1:1 \
> action drop
I think I figured out why, match "udp dst" does not work. It seems to
depend on "nexthdr+0" which is an implicit variable, that for unknown
reasons are not set in my original rule (above).
Before you suggestion I managed to match the udp port by manually
defining the offset, assuming an IP-header is 20 bytes (no-options),
like:
tc filter add dev $device parent ffff: prio 4 protocol ip \
u32 \
match ip protocol 17 0xff \
match udp dst $udp_port 0xffff at 21\
flowid 1:1 \
action drop
You solution with "ip dport" also works, but man[1] tc-u32(8) also have
a warning about "ip dport" size assumptions...
Updated my script to use "u32 match ip port":
https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2
> Note, this will be more cycles than drop all.
Yes, that is the point ;-) XDP also does header parsing...
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
[1] http://man7.org/linux/man-pages/man8/tc-u32.8.html#SELECTORS
