tc match IPv4 fragment offset

Question

What is the correct Syntax for matching Fragments that have and Offset > 0 in tc?

I have tried:

... u32 match u8 255 ff at 7 flowid 2:1

But to no avail

score 0 · Answer 1 · edited Oct 07 '21 at 08:14

According to the IPv4 Header Format (don't be fooled by the numbering when pondering bits later), you must compare the 13 lower bits of the combined two bytes at offset 6 and 7.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

So it can't be matched with u8 but requires for example u16. Also, tc u32 appears to lack a not logical operator, thus it can only reliably match packets without fragment offset (or packets with no offset but the MF set etc.) in one rule. There's even abbreviations for this, if you also want to also include the MF flag in the check:

... u32 match ip nofrag flowid 2:1 # would match the opposite of what's wanted

without MF flag:

... protocol ip u32 match u16 0 0x1fff flowid 2:1

So you can either use two filters to invert the logic, the first filter to bypass the second (you can complement the action with an other flowid if needed):

... prio 1 protocol ip u32 match u16 0 0x1fff action pass
... prio 2 protocol ip matchall flowid 2:1

or you can completely change the filter module and use tc basic's ematch features which include logical operators like not, thus achieving goal in one filter:

... protocol ip basic match 'not cmp(u16 at 6 layer network mask 0x1fff eq 0)' flowid 2:1

tc match IPv4 fragment offset

1 Answers1