1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

tc syntax for dropping packet (ingress/egress filtering)

Discussion in 'Asuswrt-Merlin' started by ml70, May 19, 2019.

  1. ml70

    ml70 Regular Contributor

    Joined:
    Oct 31, 2013
    Messages:
    117
    According to this https://blog.cloudflare.com/how-to-drop-10-million-packets/ dropping ingress packets with tc should be easy peasy, but I just can't figure out the proper syntax for Asus (AC-66 2.6.22.19 #1 Mon Sep 12 19:17:46 MST 2016 mips GNU/Linux) version of tc.

    As a test I'm trying to drop packets with tcp rst bit set, but nothing much happens even with police drop syntax, should the ingress qdisc be rather attached to vlan1 ? But no success with either.
    Code:
    $ tc qdisc add dev ppp0 ingress
    $ tc -s -d qdisc show dev ppp0
    qdisc ingress ffff: parent ffff:fff1 ----------------
     Sent 112206402 bytes 594027 pkt (dropped 0, overlimits 0 requeues 0)
     rate 0bit 0pps backlog 0b 0p requeues 0
    $ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: action drop
    RTNETLINK answers: Operation not supported
    We have an error talking to the kernel
    $ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: police drop
    $
    
    I've tried about a thousand variations with different devices and options so any help would be very welcome.

    Even trying a very simple filter trying to match all tcp packets doesn't produce anything resembling hits
    Code:
    $ tc filter add dev ppp0 parent ffff: prio 111 protocol ip u32 match ip protocol 0x6 0xff flowid ffff: police drop
    $ tc -s -d filter show dev ppp0 parent ffff:
    filter protocol ip pref 111 u32
    filter protocol ip pref 111 u32 fh 80c: ht divisor 1
    filter protocol ip pref 111 u32 fh 80c::800 order 2048 key ht 80c bkt 0 flowid ffff:
      match 00060000/00ff0000 at 8
     police 0x1a rate 0bit burst 0b mtu 4096Mb action drop
    ref 0 bind 0
     Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
     rate 0bit 0pps backlog 0b 0p requeues 0
    
    There's very little google help regarding tc to begin with, and it's all the more frustrating that Asus throws errors with many of the found examples.

    Now WHY use tc when doing this would be dead simple with iptables, well see Cloudflare's blog entry showing tc being 300% faster than iptables at dropping packets.
     
  2. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    Not sure what the problem is, but that's one interesting document. It's a keeper!
     
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    But they got similar speeds using PREROUTING, so maybe that's an option.

    Apart from academic interest is there any practical reason you want to do this?
     
  4. ml70

    ml70 Regular Contributor

    Joined:
    Oct 31, 2013
    Messages:
    117
    Just want to learn more tc, especially for filtering. As far as I understand it can also be used for layer 2 packets so it's more versatile than netfilter. And dropping resets is about the least intrusive example, nothing's going to break badly.

    Unfortunately the version on Asus is like banging head to the wall, almost none of the examples I can find work as such, and the internal help isn't very helpful either:
    Code:
    $ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: action ?
    bad action type ?
    Usage: ... gact <ACTION> [RAND] [INDEX]
    Where: ACTION := reclassify | drop | continue | pass RAND := random <RANDTYPE> <ACTION> <VAL>RANDTYPE := netrand | determVAL : = value not exceeding 10000INDEX := index value used
    bad action parsing
    parse_action: bad value (1:?)!
    Illegal "action"
    
    When making a complete rule with police drop instead of action drop I can see the syntax involves "gact" somehow, but been unable to piece the syntax together. Just too cryptic for my meager skills.