Search code examples
linuxfilteringportsnetwork-traffic

How to exclude port ranges via ematch in Linux traffic control (tc)?

I am currently facing a trouble in my code.

Mainly, I emulate the connection between two computers, connected via an ethernet bridge (Raspberry Pi, Raspbian). So I am able to influence parameters of this connection (like bandwidth, latency and much more) via tc qdisc. This works out fine, as you can see in the code down below.


But now to my problem:

I am also trying to exclude specific port ranges, what means ports that aren't influenced by my given parameters (latency etc..).

For that I created two prio bands. The prio band 0 (higher priority) handles my port exclusion (already in the parent root). Afterwards in prio band 1 (lower priority), I decline a latency via netem.
The whole data traffic will pass through my influenced prio band 1, the remaining (excluded data) will pass uninfluenced through prio band 0.

I don't get kernel errors while executing my code!
But I only receive filter parent 1: protocol ip pref 1 basic after typing sudo tc filter show dev eth1. My match is not even mentioned.

What did I wrong?
Can you explain me why I don't get my excpected output?


THIS IS MY CODE (in right order of executioning):

PARENT ROOT

sudo tc qdisc add dev eth1 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

  • This creates two priobands (1:1 and 1:2)

BAND 0 [PORT EXCLUSION | port 100 - 800]

sudo tc qdisc add dev eth1 parent 1:1 handle 10: tbf rate 512kbit buffer 1600 limit 3000

  • Creates a tbf (Token Bucket Filter) to set bandwidth

sudo tc filter add dev eth1 parent 1: protocol ip prio 1 handle 0x10 basic match "cmp(u16 at 0 layer transport lt 100) and cmp(u16 at 0 layer transport gt 800)" flowid 1:1

  • Creates a filter with specific handle, that excludes port 100 to 800 from the prioband 1 (the influenced data packets)

BAND 1 [NET EMULATION]

sudo tc qdisc add dev eth1 parent 1:2 handle 20: tbf rate 1024kbit buffer 1600 limit 3000

  • Compare with tbf above

sudo tc qdisc add dev eth1 parent 20:1 handle 21: netem delay 200ms

  • Creates via netem a delay of 200ms

Here you can see my hierarchy as an image

The question again:
My filter match is not even mentioned.

What did I wrong?
Can you explain me why I don't get my excpected output?



I appreciate any kind of help! Thanks for your efforts!
~rotsechs

Solution

  • It seems like I have to neglect the missing output! Nevertheless, it works perfectly.
    I established a SSH connection to my Ethernet Bridge (via MobaXterm).
    Afterwards I laid a delay of 400ms on it. The console inputs slowed down as expected.
    Finally I created the filter and excluded the port range from 20 to 24 (SSH has port 22).

    The delay of my SSH connection disappeared immediately!