How can I match on a specific bit using tc filter?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















The goal:



I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.



The failed attempts:



These are more to show what I've tried, but feel free to tell me I messed up here.




  1. ebtables


Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.




  1. iptables


Supposedly, a command such as ebtables -t broute -P BROUTING DROP should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.



ip_forward is set to 1.



I have tried creating a static ARP entry on the bridge device so it can route properly.




  1. tc


I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK which would mean that byte should be 0000 0101 (or 5 in decimal).



Here are some commands I've tried:



sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match 
u32 0x5 0xf at 284

sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x50000000 0xf0000000 at 284

sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
5/f at 284

sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
0x5000 0xf000 at 284



The questions:



How can I match on the DHCP option using tc?



How can I be sure that I'm only matching on this byte when the packet is DHCP?



Any advice on failed attempts 1 or 2 would also be appreciated.










share|improve this question































    0















    The goal:



    I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.



    The failed attempts:



    These are more to show what I've tried, but feel free to tell me I messed up here.




    1. ebtables


    Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.




    1. iptables


    Supposedly, a command such as ebtables -t broute -P BROUTING DROP should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.



    ip_forward is set to 1.



    I have tried creating a static ARP entry on the bridge device so it can route properly.




    1. tc


    I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK which would mean that byte should be 0000 0101 (or 5 in decimal).



    Here are some commands I've tried:



    sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match 
    u32 0x5 0xf at 284

    sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
    u32 0x50000000 0xf0000000 at 284

    sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
    5/f at 284

    sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
    0x5000 0xf000 at 284



    The questions:



    How can I match on the DHCP option using tc?



    How can I be sure that I'm only matching on this byte when the packet is DHCP?



    Any advice on failed attempts 1 or 2 would also be appreciated.










    share|improve this question



























      0












      0








      0


      0






      The goal:



      I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.



      The failed attempts:



      These are more to show what I've tried, but feel free to tell me I messed up here.




      1. ebtables


      Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.




      1. iptables


      Supposedly, a command such as ebtables -t broute -P BROUTING DROP should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.



      ip_forward is set to 1.



      I have tried creating a static ARP entry on the bridge device so it can route properly.




      1. tc


      I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK which would mean that byte should be 0000 0101 (or 5 in decimal).



      Here are some commands I've tried:



      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match 
      u32 0x5 0xf at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      u32 0x50000000 0xf0000000 at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      5/f at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      0x5000 0xf000 at 284



      The questions:



      How can I match on the DHCP option using tc?



      How can I be sure that I'm only matching on this byte when the packet is DHCP?



      Any advice on failed attempts 1 or 2 would also be appreciated.










      share|improve this question
















      The goal:



      I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.



      The failed attempts:



      These are more to show what I've tried, but feel free to tell me I messed up here.




      1. ebtables


      Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.




      1. iptables


      Supposedly, a command such as ebtables -t broute -P BROUTING DROP should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.



      ip_forward is set to 1.



      I have tried creating a static ARP entry on the bridge device so it can route properly.




      1. tc


      I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK which would mean that byte should be 0000 0101 (or 5 in decimal).



      Here are some commands I've tried:



      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match 
      u32 0x5 0xf at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      u32 0x50000000 0xf0000000 at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      5/f at 284

      sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
      0x5000 0xf000 at 284



      The questions:



      How can I match on the DHCP option using tc?



      How can I be sure that I'm only matching on this byte when the packet is DHCP?



      Any advice on failed attempts 1 or 2 would also be appreciated.







      linux networking sudo






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 12 at 15:28







      adin

















      asked Mar 12 at 14:18









      adinadin

      13




      13






















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413411%2fhow-can-i-match-on-a-specific-bit-using-tc-filter%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413411%2fhow-can-i-match-on-a-specific-bit-using-tc-filter%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Probability when a professor distributes a quiz and homework assignment to a class of n students.

          Aardman Animations

          Are they similar matrix