Idea for packet classification.
From: jordi
Date: Tue Sep 27 2005 - 11:14:24 EST
The idea is to create a set of iptables TARGETS that classifies the packets.
When a packet is classified, a classification / Values is associated with
the packet.
This classifications can then be used on an iptable filter rule, in a
routing table selection rule or in a tc classification filter.
For example:
#iptables âA INPUT âj CLS user --classifier tcfilter --filtername u32
â
#iptables âA INPUT âj CLS quota_plan --classifier hash --table
user_to_quota --input cls user
#iptables âA INPUT âj CLS tos --classifier tos
#iptables âA FORWARD âp tcp âport 5343 âcls quota_plan=1 âj DROP
So in this example when a packet arrives, the source address is taken and
translated directly to a user, and the packet is marked with the userid.
I.e. The packed has an associated classification user = 23
In the second line a hash table classifies the packet. The user is taken
from input and a quota plan is taken as an output.
So after the second rule, the packet has associated 2 classifications:
user=23
quota_plan=2
The 3rd line classifies the packet by TOS so the packet has 3
classifications
User=23
Quota_plan=2
Tos=0
Once a packet is classified, those classifications can be used in a filter
rule or can be used in a routing rule or in a traffic shaping queue
classification.
A packet can have many classifications
Those classifications can be used any time in the packet live.
In the 4th line in th example, the rule drops all tcp packets with port 5343
and had been classified as quota_plan
The 1st line in the rule uses a tc filter wrapper to classify the packet.
This idea would be an extesion of the MARK target.
I am planning to make a patch to implement a couple of functions to insert
classifications to the sk_buff structure and to consult classifications of
a sk_buff.
Do you believe that it is interesting or are you planning to do packet
classifications in another way and doing that I would lose the time.
Thank you,
Jordi
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html