On 16-08-30 06:31 AM, Jesper Dangaard Brouer wrote: > On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim <j...@mojatatu.com> wrote: > >> On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote: >>> tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip >>> protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action >> >> Syntax is a little more convoluted than that ;->. Try: >> >> sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \ >> match ip protocol 17 0xff \ >> match ip dport 1900 0xffff \ >> flowid 1:1 \ >> action drop > > I think I figured out why, match "udp dst" does not work. It seems to > depend on "nexthdr+0" which is an implicit variable, that for unknown > reasons are not set in my original rule (above). > > Before you suggestion I managed to match the udp port by manually > defining the offset, assuming an IP-header is 20 bytes (no-options), > like: > > tc filter add dev $device parent ffff: prio 4 protocol ip \ > u32 \ > match ip protocol 17 0xff \ > match udp dst $udp_port 0xffff at 21\ > flowid 1:1 \ > action drop > > You solution with "ip dport" also works, but man[1] tc-u32(8) also have > a warning about "ip dport" size assumptions... > > Updated my script to use "u32 match ip port": > https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2 >
FWIW the 'udp dst' notation is quit fragile in that it only reads an offset into the packet where a udp dst port might be. More robust solutions require the use of links. I have a wrapper tool around the 'link' creation part of u32 that we can probably show off at netconf. :) >> Note, this will be more cycles than drop all. > > Yes, that is the point ;-) XDP also does header parsing... >
