![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-08-27
目錄
tc Filter (filtering commands)
filtertype:
It extracts a bit field from a 32 bit word in the packet
Bases the decision on fields within the packet and if it is equal to a value supplied by you it has a match.
* lower priority(higher preference number) will be processed first (first prio win)
The general selector syntax
match [ u32 | u16 | u8 ] PATTERN MASK [ at OFFSET | nexthdr+OFFSET]
* The position of the sample is defined by the offset specified in AT.
e.g.
match u32 00100000 00ff0000 at 0
The 00ff number is the match mask, telling the filter exactly which bits to match.
The at keyword means that the match is to be started at specified offset (in bytes)
Higher level syntax:
ip:
- dst, src # e.g. match ip dst 3.2.1.0/24 所有 IP
- dport, sport (MASK_16) # e.g. match ip sport 80
- protocol (MASK_8) # 6 TCP, UDP 17
* A higher level syntax are internally translated into a real u32 selector
Help
tc filter add u32 help
e.g.
[1]
# Attach to eth0, root 1:0
# Set a priority 50 's u32 filter
# Remote 的 port 是 22
# Send it to band 10:101
tc filter add dev eth0 protocol ip parent 1: \
prio 50 u32 \
match ip dport 22 0xffff \ # rules
flowid 1:101
[2] 雙重條件
tc filter add dev eth0 parent ffff: u32 \
match ip protocol 17 0xff \
match ip dport 23456 0xfff \
police rate 1mbit burst 1m
Action
reclassify (Default)
Treat the packet as non-matching to the filter this action is attached to and
continue with the next filter in line (if any).
This is the default for exceeding packets.
iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6
tc filter add dev eth1 protocol ip parent 1: prio 1 handle 6 fw flowid 1:1
# show
iptables -L -t mangle -n -v
Delete Filter Example
設定一個 filter 先
tc filter add dev eth0 parent 1: protocol ip handle 80 fw flowid 1:20
查看
tc filter show dev eth0
filter parent 1: protocol ip pref 49152 fw
filter parent 1: protocol ip pref 49152 fw handle 0x50 classid 20:Delete 它
tc filter del dev eth0 protocol ip pref 49152
