Idea for packet classification.

From: jordi
Date: Tue Sep 27 2005 - 11:14:24 EST

Next message: Joel Schopp: "Re: [PATCH 7/9] try harder on large allocations"
Previous message: Linus Torvalds: "Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC]Oops while completing async USB via usbdevio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The idea is to create a set of iptables TARGETS that classifies the packets.

When a packet is classified, a classification / Values is associated with the packet.

This classifications can then be used on an iptable filter rule, in a routing table selection rule or in a tc classification filter.

For example:

#iptables âA INPUT âj CLS user --classifier tcfilter --filtername u32 â
#iptables âA INPUT âj CLS quota_plan --classifier hash --table user_to_quota --input cls user
#iptables âA INPUT âj CLS tos --classifier tos

#iptables âA FORWARD âp tcp âport 5343 âcls quota_plan=1 âj DROP

So in this example when a packet arrives, the source address is taken and translated directly to a user, and the packet is marked with the userid. I.e. The packed has an associated classification user = 23

In the second line a hash table classifies the packet. The user is taken from input and a quota plan is taken as an output.

So after the second rule, the packet has associated 2 classifications:
user=23
quota_plan=2

The 3rd line classifies the packet by TOS so the packet has 3 classifications
User=23
Quota_plan=2
Tos=0

Once a packet is classified, those classifications can be used in a filter rule or can be used in a routing rule or in a traffic shaping queue classification.

A packet can have many classifications
Those classifications can be used any time in the packet live.

In the 4th line in th example, the rule drops all tcp packets with port 5343 and had been classified as quota_plan

The 1st line in the rule uses a tc filter wrapper to classify the packet.

This idea would be an extesion of the MARK target.

I am planning to make a patch to implement a couple of functions to insert classifications to the sk_buff structure and to consult classifications of a sk_buff.
Do you believe that it is interesting or are you planning to do packet classifications in another way and doing that I would lose the time.

Thank you,

Jordi

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html

Next message: Joel Schopp: "Re: [PATCH 7/9] try harder on large allocations"
Previous message: Linus Torvalds: "Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC]Oops while completing async USB via usbdevio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]