"see" packet mark by linux

[vlad2005]

It's posibil to filter packets that are mark by an linux server?
Maybe in version 8 something?

 

[DutchDaemon]

pf.conf(5)

Look for 'set fingerprints'.

Then look at pf.os(5) and /etc/pf.os.

 

[aragon]

vlad, it depends how the linux system is marking the packets. If it's using TOS then yes, pf and ipfw can both see TOS. I don't think DSCP is supported by either yet, but I've seen it discussed.

If you're marking with the iptables --set-mark option, then no, that won't be visible by FreeBSD or any other host outside the linux machine that set it. Those "marks" don't get added to the packet.

Look for 'set fingerprints'.

Then look at pf.os(5) and /etc/pf.os.

This will only work if the linux server is originating the packets, in which case you can probably just as well use the machine's IP address...

 

[DutchDaemon]

You might need fingerprinting to find that IP address .. unless you know all machines connecting to your machine already. Anyway, I guess I misunderstood the context of 'marking'. Is that something like tagging?

 

[vivek]

I don't think so marking is like pf tagging. The mark only works with the mangle table. In other words it only works with routing and will not work outside the mangle table. It is used for queue disciplines and routing purpose.

Also, pf fingerprinting is not accurate.

 

[vlad2005]

Thanks all for reply!
Now, my ISP say that packet will come to me marked, so I think that it's used TOS. I understand that packets marked in linux with --set-mark, is visible only to that machine, because packet is not modified (marked at kernel level).
I don't know how help me fingerprints, because I'm not interested to find from which OS come packets.
I need to make some shaping, based on how packet it's marked.
So aragon, how can filter marked packets using ipfw, because already I'm using this firewall?

 

[aragon]

So aragon, how can filter marked packets using ipfw, because already I'm using this firewall?

Quoted from ipfw(8):

     iptos spec
             Matches IPv4 packets whose tos field contains the comma separated
             list of service types specified in spec.  The supported IP types
             of service are:

             lowdelay (IPTOS_LOWDELAY), throughput (IPTOS_THROUGHPUT),
             reliability (IPTOS_RELIABILITY), mincost (IPTOS_MINCOST),
             congestion (IPTOS_ECN_CE).  The absence of a particular type may
             be denoted with a `!'.

And also of interest from ipfw(8):

     ipprecedence precedence
             Matches IPv4 packets whose precedence field is equal to
             precedence.

So something like this:

ipfw add 1000 allow ip from any to any iptos lowdelay

Would match packets with TOS set to 0x10.

 

[vlad2005]

Ok, after some discussion with my provider, seem that packets are marked for DiffServ classes. (AF classes)
For instance, in linux I can filter packets with something like this:
iptables -A INPUT -m tos --dscp-class AF11,
or
iptables -A INPUT -m tos --dscp 10
(10 it's decimal value that correspond to AF11 class)

I don't know how can do that in freebsd?

 

[aragon]

DSCP is backward compatible with TOS and Precedence fields. Have a look here for some info on the topic.

If your case this should work:

ipfw add 1000 permit ip from any to any ipprecedence 1 iptos !lowdelay,throughput,!reliability,!mincost,!congestion

Never tried this myself, so let us know how it goes.

 

[vlad2005]

I understand that dscp for AF11 correspond to ipprecedence equal with 1 and dscp with AF21 correspond to ipprecedence equal with 2.
This can be enough to separate packets based on AF11 respectively AF 21. So, rules like this can be enough

ipfw add 1000 skipto 5000 ip from any to any ipprecedence 1
ipfw add 1001 skipto 6000 ip from any to any ipprecedence 2

That it's right?

 

[aragon]

Yea, that will separate AF11 from AF21, but it won't separate AF11 from CS1, AF12 and AF13, or AF21 from CS2, AF22 and AF23.

 

[vlad2005]

My packets, are marked with AF11 and AF21, and for these need to make some shaping. Anyway, this is an emergency solution. I speak with Marcelo Araujo, that make an patch for ipfw which implement filter based on dscp value. If someone it's interested, the patch it's attached to this post. When I finish, will post result.

 

[aragon]

That might be a nice feature to have. Has it been PR'd?

 

[vlad2005]

Sorry, but what mean "PR'd"?

 

[aragon]

PR is short for Problem Report. It is the FreeBSD bug submission term, but it is also used for submitting patches that improve functionality of FreeBSD.

http://www.freebsd.org/support.html

Take a look at that page. If you submit a PR with your patch attached, it stands the chance of being pulled into FreeBSD as an included feature.

 

[vlad2005]

Maybe, this can be leave at decision of who make the patch.

 

[overmind]

I've tried the patch, is not working. Error at compile and my poor C unix programming knowledge does not help. If anybody make the patch to apply and then compile ipfw utility and kernel module, then please post the patch (for FreeBSD 7.2 if possible.

thank you and best regards

 

[vlad2005]

I tried for freebsd 7.1 and work, but not recognise option dscp (where it's my interest). I write to author of this patch and wait.
Today I work to find where it's the problem that, but I'm stuck to some problems. Anyway, i think that need to compile module and binary for ipfw, or recompile entire kernel.
For moment i don't have any good news, so if i make some progress will post on this topic.

 

[aragon]

vlad, have you got it working with ipprecedence and/or iptos options?

 

[vlad2005]

It's what u suggest in an previous post?
I try'it right now, but give me an error

freebsd# ipfw add 20 count ip from any to any ipprecedence 1 iptos !lowdelay,throughput,!reliability,!mincost,!congestion
lowdelay,throughput,!reliability,!mincost,!congestion: Event not found.

Anyway, i finished to work with patch, and seem to be ok.
But if u have an idea about how work with your suggestion, will be ok.

 

[aragon]

You need to escape the ! with \.

ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,\!mincost,\!congestion

Or use single quotes

ipfw add 20 count ip from any to any ipprecedence 1 iptos '!lowdelay,throughput,!reliability,!mincost,!congestion'

 

[vlad2005]

Command work with escape, but i don't know how exactly to use in my case.
So supposing that i need to count packets with DSCP equal with AF11
First i use the patched kernel to modify the packet

 ipfw add 10 modip dscp:AF11 ip from any to any

Then i try to intercept these packets. According with what i read, this seam to be like this.

ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,mincost,\!congestion

But rule 20, don't capture anything. Maybe it's wrong sequence for iptos argument.
Anyway, testing with improvement from patch, give desired result.

 ipfw add 20 count ip from any to any dscp AF11

Show command from ipfw look ok.

freebsd# ipfw show
00010  959 82291 modip dscp:AF11 ip from any to any
00020   24  1584 count ip from any to any dscp AF11
65535 1099 92987 allow ip from any to any

 

[aragon]

Then i try to intercept these packets. According with what i read, this seam to be like this.

ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,mincost,\!congestion

Should be !mincost.

 

[aragon]

BTW, you shouldn't need modip. That is what your ISP would use.

 

[vlad2005]

Hi!
Yes, it' work. That is an good news, for those who don't want to patch kernel.
A know that packets are modified by ISP, but with modip, i make modification, and packets are passed again to firewall, so can be tested.
Now, i don't understand, why mincost bit need to be 0? Or when need to be 0 or 1?