From 16fcc85c283537ea00357e2ca4bbb561c03bc65b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 11 May 2016 00:21:24 +0200 Subject: src: add dscp support This supports both IPv4: # nft --debug=netlink add rule filter forward ip dscp cs1 counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] [ counter pkts 0 bytes 0 ] And also IPv6, note that in this case we take two bytes from the payload: # nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter ip6 filter input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000008 ] [ counter pkts 0 bytes 0 ] Given the DSCP is split in two bytes, the less significant nibble of the first byte and the two most significant 2 bits of the second byte. The 8 bit traffic class in RFC2460 after the version field are used for DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- tests/py/ip6/ip6.t.payload.inet | 43 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) (limited to 'tests/py/ip6/ip6.t.payload.inet') diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet index 3d0ae396..35e77c17 100644 --- a/tests/py/ip6/ip6.t.payload.inet +++ b/tests/py/ip6/ip6.t.payload.inet @@ -1,3 +1,46 @@ +# ip6 dscp cs1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# ip6 dscp != cs1 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# ip6 dscp 0x38 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000e ] + +# ip6 dscp != 0x20 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000008 ] + +# ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef} +set%d test-inet 3 +set%d test-inet 0 + element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00008002 : 0 [end] element 00000003 : 0 [end] element 00008003 : 0 [end] element 00008004 : 0 [end] element 00000005 : 0 [end] element 00008005 : 0 [end] element 00008006 : 0 [end] element 00000007 : 0 [end] element 00008007 : 0 [end] element 00008008 : 0 [end] element 00000009 : 0 [end] element 00008009 : 0 [end] element 0000800b : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] + [ lookup reg 1 set set%d ] + # ip6 flowlabel 22 inet test-inet input [ meta load nfproto => reg 1 ] -- cgit v1.2.3