How can I match on a specific bit using tc filter?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
The goal:
I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.
The failed attempts:
These are more to show what I've tried, but feel free to tell me I messed up here.
ebtables
Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.
iptables
Supposedly, a command such as ebtables -t broute -P BROUTING DROP
should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.
ip_forward is set to 1.
I have tried creating a static ARP entry on the bridge device so it can route properly.
tc
I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK
which would mean that byte should be 0000 0101
(or 5 in decimal).
Here are some commands I've tried:
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x5 0xf at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x50000000 0xf0000000 at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
5/f at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
0x5000 0xf000 at 284
The questions:
How can I match on the DHCP option using tc?
How can I be sure that I'm only matching on this byte when the packet is DHCP?
Any advice on failed attempts 1 or 2 would also be appreciated.
linux networking sudo
add a comment |
The goal:
I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.
The failed attempts:
These are more to show what I've tried, but feel free to tell me I messed up here.
ebtables
Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.
iptables
Supposedly, a command such as ebtables -t broute -P BROUTING DROP
should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.
ip_forward is set to 1.
I have tried creating a static ARP entry on the bridge device so it can route properly.
tc
I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK
which would mean that byte should be 0000 0101
(or 5 in decimal).
Here are some commands I've tried:
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x5 0xf at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x50000000 0xf0000000 at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
5/f at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
0x5000 0xf000 at 284
The questions:
How can I match on the DHCP option using tc?
How can I be sure that I'm only matching on this byte when the packet is DHCP?
Any advice on failed attempts 1 or 2 would also be appreciated.
linux networking sudo
add a comment |
The goal:
I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.
The failed attempts:
These are more to show what I've tried, but feel free to tell me I messed up here.
ebtables
Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.
iptables
Supposedly, a command such as ebtables -t broute -P BROUTING DROP
should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.
ip_forward is set to 1.
I have tried creating a static ARP entry on the bridge device so it can route properly.
tc
I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK
which would mean that byte should be 0000 0101
(or 5 in decimal).
Here are some commands I've tried:
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x5 0xf at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x50000000 0xf0000000 at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
5/f at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
0x5000 0xf000 at 284
The questions:
How can I match on the DHCP option using tc?
How can I be sure that I'm only matching on this byte when the packet is DHCP?
Any advice on failed attempts 1 or 2 would also be appreciated.
linux networking sudo
The goal:
I'm trying to shape traffic that enters and exits a device using a Raspberry Pi bridge running Rapsbian Stretch. Primarily, I want to control the DHCP process (drop ACK packets to see how the DHCP client responds, etc.), but may want to shape traffic based on other higher level protocols too. It's not just dropping packets based on protocol. I also want to access options in the protocol as a qualification for dropping packets.
The failed attempts:
These are more to show what I've tried, but feel free to tell me I messed up here.
ebtables
Although bridges are L2, ebtables does have access to higher level bits. I tried dropping packets with src/dest on ports 67 or 68, but that just drops all DHCP. Trying to implement a rule in the middle of the DHCP process is unreliable and not precise.
iptables
Supposedly, a command such as ebtables -t broute -P BROUTING DROP
should send all packets to the current device to be routed. This would allow me to shape traffic going over the bridge (although technically it's not going over the bridge) using iptables. When I run this command however, all traffic with an IP destination on the other side of the bridge is dropped.
ip_forward is set to 1.
I have tried creating a static ARP entry on the bridge device so it can route properly.
tc
I have the least experience with tc. It is obviously the most powerful of these tools. I know that it is capable of accessing arbitrary bits, and therefore matching on something like DHCP message type. I know it's the 285th byte of a standard DHCP packet. I'm trying to match on DHCP ACK
which would mean that byte should be 0000 0101
(or 5 in decimal).
Here are some commands I've tried:
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x5 0xf at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
u32 0x50000000 0xf0000000 at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
5/f at 284
sudo tc filter add dev br0 protocol ip parent 10: prio 1 u32 match
0x5000 0xf000 at 284
The questions:
How can I match on the DHCP option using tc?
How can I be sure that I'm only matching on this byte when the packet is DHCP?
Any advice on failed attempts 1 or 2 would also be appreciated.
linux networking sudo
linux networking sudo
edited Mar 12 at 15:28
adin
asked Mar 12 at 14:18
adinadin
13
13
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413411%2fhow-can-i-match-on-a-specific-bit-using-tc-filter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413411%2fhow-can-i-match-on-a-specific-bit-using-tc-filter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown