1

I'm looking to add a set of filters that would drop packets that match parameters. It seems tc filters do not support drop action based on match, but based on qos parameters. Has anyone been able to place tc drop filters?

The most common method i've found thus far is to to mark it using tc and then us iptables to drop the marked packet, but that is not as efficient in my opinion.

user2066671
  • 177
  • 4
  • 16
  • 1
    You say "not as efficient in my opinion", but what is this opinion based on? Have you measured and seen a performance problem? Inspected the kernel code? The commands `tc` and `iptables` both manipulate networking software in the kernel. Neither touches any packets on its own, so there would be no good reason to believe this makes the in-kernel mechanism inefficient anymore so than using both `ifconfig` and `ip` to configure the same device would make your network slow. – Brian McFarland Oct 26 '15 at 18:20
  • 1
    I have not measured the performance hit. You are right, my assessment was premature. My primary question is whether is there another way of dropping packets based on tc filter match. The only method I've found thus far involves marking and forwarding the packets to an ip table entry. I'm just really curious if it's possible to manipulate tc filter to perform drop based on filter match. – user2066671 Oct 26 '15 at 18:26
  • 1
    In that case, you could probably do it with `tc` by setting up a `qdisc` that drops all data then setup your `filter` with a `flowid` that directs to that `qdisc`. Can't help you much beyond that suggestion though. Anytime I have to deal with `tc` it involves hours of googling and reading man pages and watching wireshark. – Brian McFarland Oct 26 '15 at 18:41

1 Answers1

2

tc filter supports drop action based on match. This is actually more straight forward than i anticipated

An example below would drop all IP GRE traffic on interface eth3

# add an ingress qdisc
tc qdisc add dev eth3 ingress
# filter on ip GRE traffic (protocol 47)
tc filter add dev eth3 parent ffff: protocol ip prio 6 u32 match ip protocol 47 0x47 flowid 1:16 action drop
Wyatt
  • 90
  • 12
user2066671
  • 177
  • 4
  • 16