source-git / iproute

Clone
Source Code
GIT

Blame man/man8/tc-pedit.8

c8 c8s master
  1.   d3f73be14ae9ccd066a0a28b8e6fa4bd4765efd9
  2.   man
  3.   man8
  4.   tc-pedit.8
Blob History Raw
Packit d3f73b 
.TH "Generic packet editor action in tc" 8 "12 Jan 2015" "iproute2" "Linux"
Packit d3f73b
Packit d3f73b 
.SH NAME
Packit d3f73b 
pedit - generic packet editor action
Packit d3f73b 
.SH SYNOPSIS
Packit d3f73b 
.in +8
Packit d3f73b 
.ti -8
Packit d3f73b 
.BR tc " ... " "action pedit [ex] munge " {
Packit d3f73b 
.IR RAW_OP " | " LAYERED_OP " | " EXTENDED_LAYERED_OP " } [ " CONTROL " ]"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR RAW_OP " := "
Packit d3f73b 
.BI offset " OFFSET"
Packit d3f73b 
.RB "{ " u8 " | " u16 " | " u32 " } ["
Packit d3f73b 
.IR AT_SPEC " ] " CMD_SPEC
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR AT_SPEC " := "
Packit d3f73b 
.BI at " AT " offmask " MASK " shift " SHIFT"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR LAYERED_OP " := { "
Packit d3f73b 
.BI ip " IPHDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI ip " BEYOND_IPHDR_FIELD"
Packit d3f73b 
.RI } " CMD_SPEC"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR EXTENDED_LAYERED_OP " := { "
Packit d3f73b 
.BI eth " ETHHDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI ip " IPHDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI ip " EX_IPHDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI ip6 " IP6HDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI tcp " TCPHDR_FIELD"
Packit d3f73b 
|
Packit d3f73b 
.BI udp " UDPHDR_FIELD"
Packit d3f73b 
.RI } " CMD_SPEC"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR ETHHDR_FIELD " := { "
Packit d3f73b 
.BR src " | " dst " | " type " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR IPHDR_FIELD " := { "
Packit d3f73b 
.BR src " | " dst " | " tos " | " dsfield " | " ihl " | " protocol " |"
Packit d3f73b 
.BR precedence " | " nofrag " | " firstfrag " | " ce " | " df " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR BEYOND_IPHDR_FIELD " := { "
Packit d3f73b 
.BR dport " | " sport " | " icmp_type " | " icmp_code " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR EX_IPHDR_FIELD " := { "
Packit d3f73b 
.BR ttl " }"
Packit d3f73b
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR IP6HDR_FIELD " := { "
Packit d3f73b 
.BR src " | " dst " | " flow_lbl " | " payload_len " | " nexthdr " |"
Packit d3f73b 
.BR hoplimit " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR TCPHDR_FIELD " := { "
Packit d3f73b 
.BR sport " | " dport " | " flags " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR UDPHDR_FIELD " := { "
Packit d3f73b 
.BR sport " | " dport " }"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR CMD_SPEC " := {"
Packit d3f73b 
.BR clear " | " invert " | " set
Packit d3f73b 
.IR VAL " | "
Packit d3f73b 
.BR add
Packit d3f73b 
.IR VAL " | "
Packit d3f73b 
.BR preserve " } [ " retain
Packit d3f73b 
.IR RVAL " ]"
Packit d3f73b
Packit d3f73b 
.ti -8
Packit d3f73b 
.IR CONTROL " := {"
Packit d3f73b 
.BR reclassify " | " pipe " | " drop " | " shot " | " continue " | " pass " | " goto " " chain " " CHAIN_INDEX " }"
Packit d3f73b 
.SH DESCRIPTION
Packit d3f73b 
The
Packit d3f73b 
.B pedit
Packit d3f73b 
action can be used to change arbitrary packet data. The location of data to
Packit d3f73b 
change can either be specified by giving an offset and size as in
Packit d3f73b 
.IR RAW_OP ,
Packit d3f73b 
or for header values by naming the header and field to edit the size is then
Packit d3f73b 
chosen automatically based on the header field size. Currently this is supported
Packit d3f73b 
only for IPv4 headers.
Packit d3f73b 
.SH OPTIONS
Packit d3f73b 
.TP
Packit d3f73b 
.B ex
Packit d3f73b 
Use extended pedit.
Packit d3f73b 
.I EXTENDED_LAYERED_OP
Packit d3f73b 
and the add
Packit d3f73b 
.I CMD_SPEC
Packit d3f73b 
are allowed only in this mode.
Packit d3f73b 
.TP
Packit d3f73b 
.BI offset " OFFSET " "\fR{ \fBu32 \fR| \fBu16 \fR| \fBu8 \fR}"
Packit d3f73b 
Specify the offset at which to change data.
Packit d3f73b 
.I OFFSET
Packit d3f73b 
is a signed integer, it's base is automatically chosen (e.g. hex if prefixed by
Packit d3f73b 
.B 0x
Packit d3f73b 
or octal if prefixed by
Packit d3f73b 
.BR 0 ).
Packit d3f73b 
The second argument specifies the length of data to change, that is four bytes
Packit d3f73b 
.RB ( u32 ),
Packit d3f73b 
two bytes
Packit d3f73b 
.RB ( u16 )
Packit d3f73b 
or a single byte
Packit d3f73b 
.RB ( u8 ).
Packit d3f73b 
.TP
Packit d3f73b 
.BI at " AT " offmask " MASK " shift " SHIFT"
Packit d3f73b 
This is an optional part of
Packit d3f73b 
.IR RAW_OP
Packit d3f73b 
which allows to have a variable
Packit d3f73b 
.I OFFSET
Packit d3f73b 
depending on packet data at offset
Packit d3f73b 
.IR AT ,
Packit d3f73b 
which is binary ANDed with
Packit d3f73b 
.I MASK
Packit d3f73b 
and right-shifted by
Packit d3f73b 
.I SHIFT
Packit d3f73b 
before adding it to
Packit d3f73b 
.IR OFFSET .
Packit d3f73b 
.TP
Packit d3f73b 
.BI eth " ETHHDR_FIELD"
Packit d3f73b 
Change an ETH header field. The supported keywords for
Packit d3f73b 
.I ETHHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B src
Packit d3f73b 
.TQ
Packit d3f73b 
.B dst
Packit d3f73b 
Source or destination MAC address in the standard format: XX:XX:XX:XX:XX:XX
Packit d3f73b 
.TP
Packit d3f73b 
.B type
Packit d3f73b 
Ether-type in numeric value
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI ip " IPHDR_FIELD"
Packit d3f73b 
Change an IPv4 header field. The supported keywords for
Packit d3f73b 
.I IPHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B src
Packit d3f73b 
.TQ
Packit d3f73b 
.B dst
Packit d3f73b 
Source or destination IP address, a four-byte value.
Packit d3f73b 
.TP
Packit d3f73b 
.B tos
Packit d3f73b 
.TQ
Packit d3f73b 
.B dsfield
Packit d3f73b 
.TQ
Packit d3f73b 
.B precedence
Packit d3f73b 
Type Of Service field, an eight-bit value.
Packit d3f73b 
.TP
Packit d3f73b 
.B ihl
Packit d3f73b 
Change the IP Header Length field, a four-bit value.
Packit d3f73b 
.TP
Packit d3f73b 
.B protocol
Packit d3f73b 
Next-layer Protocol field, an eight-bit value.
Packit d3f73b 
.TP
Packit d3f73b 
.B nofrag
Packit d3f73b 
.TQ
Packit d3f73b 
.B firstfrag
Packit d3f73b 
.TQ
Packit d3f73b 
.B ce
Packit d3f73b 
.TQ
Packit d3f73b 
.B df
Packit d3f73b 
.TQ
Packit d3f73b 
.B mf
Packit d3f73b 
Change IP header flags. Note that the value to pass to the
Packit d3f73b 
.B set
Packit d3f73b 
command is not just a bit value, but the full byte including the flags field.
Packit d3f73b 
Though only the relevant bits of that value are respected, the rest ignored.
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI ip " BEYOND_IPHDR_FIELD"
Packit d3f73b 
Supported only for non-extended layered op. It is passed to the kernel as
Packit d3f73b 
offsets relative to the beginning of the IP header and assumes the IP header is
Packit d3f73b 
of minimum size (20 bytes). The supported keywords for
Packit d3f73b 
.I BEYOND_IPHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B dport
Packit d3f73b 
.TQ
Packit d3f73b 
.B sport
Packit d3f73b 
Destination or source port numbers, a 16-bit value. Indeed, IPv4 headers don't
Packit d3f73b 
contain this information. Instead, this will set an offset which suits at least
Packit d3f73b 
TCP and UDP if the IP header is of minimum size (20 bytes). If not, this will do
Packit d3f73b 
unexpected things.
Packit d3f73b 
.TP
Packit d3f73b 
.B icmp_type
Packit d3f73b 
.TQ
Packit d3f73b 
.B icmp_code
Packit d3f73b 
Again, this allows to change data past the actual IP header itself. It assumes
Packit d3f73b 
an ICMP header is present immediately following the (minimal sized) IP header.
Packit d3f73b 
If it is not or the latter is bigger than the minimum of 20 bytes, this will do
Packit d3f73b 
unexpected things. These fields are eight-bit values.
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI ip " EX_IPHDR_FIELD"
Packit d3f73b 
Supported only when
Packit d3f73b 
.I ex
Packit d3f73b 
is used. The supported keywords for
Packit d3f73b 
.I EX_IPHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B ttl
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI ip6 " IP6HDR_FIELD"
Packit d3f73b 
The supported keywords for
Packit d3f73b 
.I IP6HDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B src
Packit d3f73b 
.TQ
Packit d3f73b 
.B dst
Packit d3f73b 
.TQ
Packit d3f73b 
.B flow_lbl
Packit d3f73b 
.TQ
Packit d3f73b 
.B payload_len
Packit d3f73b 
.TQ
Packit d3f73b 
.B nexthdr
Packit d3f73b 
.TQ
Packit d3f73b 
.B hoplimit
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI tcp " TCPHDR_FIELD"
Packit d3f73b 
The supported keywords for
Packit d3f73b 
.I TCPHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B sport
Packit d3f73b 
.TQ
Packit d3f73b 
.B dport
Packit d3f73b 
Source or destination TCP port number, a 16-bit value.
Packit d3f73b 
.TP
Packit d3f73b 
.B flags
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.BI udp " UDPHDR_FIELD"
Packit d3f73b 
The supported keywords for
Packit d3f73b 
.I UDPHDR_FIELD
Packit d3f73b 
are:
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B sport
Packit d3f73b 
.TQ
Packit d3f73b 
.B dport
Packit d3f73b 
Source or destination TCP port number, a 16-bit value.
Packit d3f73b 
.RE
Packit d3f73b 
.TP
Packit d3f73b 
.B clear
Packit d3f73b 
Clear the addressed data (i.e., set it to zero).
Packit d3f73b 
.TP
Packit d3f73b 
.B invert
Packit d3f73b 
Swap every bit in the addressed data.
Packit d3f73b 
.TP
Packit d3f73b 
.BI set " VAL"
Packit d3f73b 
Set the addressed data to a specific value. The size of
Packit d3f73b 
.I VAL
Packit d3f73b 
is defined by either one of the
Packit d3f73b 
.BR u32 ", " u16 " or " u8
Packit d3f73b 
keywords in
Packit d3f73b 
.IR RAW_OP ,
Packit d3f73b 
or the size of the addressed header field in
Packit d3f73b 
.IR LAYERED_OP .
Packit d3f73b 
.TP
Packit d3f73b 
.BI add " VAL"
Packit d3f73b 
Add the addressed data by a specific value. The size of
Packit d3f73b 
.I VAL
Packit d3f73b 
is defined by the size of the addressed header field in
Packit d3f73b 
.IR EXTENDED_LAYERED_OP .
Packit d3f73b 
This operation is supported only for extended layered op.
Packit d3f73b 
.TP
Packit d3f73b 
.B preserve
Packit d3f73b 
Keep the addressed data as is.
Packit d3f73b 
.TP
Packit d3f73b 
.BI retain " RVAL"
Packit d3f73b 
This optional extra part of
Packit d3f73b 
.I CMD_SPEC
Packit d3f73b 
allows to exclude bits from being changed. Supported only for 32 bits fields
Packit d3f73b 
or smaller.
Packit d3f73b 
.TP
Packit d3f73b 
.I CONTROL
Packit d3f73b 
The following keywords allow to control how the tree of qdisc, classes,
Packit d3f73b 
filters and actions is further traversed after this action.
Packit d3f73b 
.RS
Packit d3f73b 
.TP
Packit d3f73b 
.B reclassify
Packit d3f73b 
Restart with the first filter in the current list.
Packit d3f73b 
.TP
Packit d3f73b 
.B pipe
Packit d3f73b 
Continue with the next action attached to the same filter.
Packit d3f73b 
.TP
Packit d3f73b 
.B drop
Packit d3f73b 
.TQ
Packit d3f73b 
.B shot
Packit d3f73b 
Drop the packet.
Packit d3f73b 
.TP
Packit d3f73b 
.B continue
Packit d3f73b 
Continue classification with the next filter in line.
Packit d3f73b 
.TP
Packit d3f73b 
.B pass
Packit d3f73b 
Finish classification process and return to calling qdisc for further packet
Packit d3f73b 
processing. This is the default.
Packit d3f73b 
.RE
Packit d3f73b 
.SH EXAMPLES
Packit d3f73b 
Being able to edit packet data, one could do all kinds of things, such as e.g.
Packit d3f73b 
implementing port redirection. Certainly not the most useful application, but
Packit d3f73b 
as an example it should do:
Packit d3f73b
Packit d3f73b 
First, qdiscs need to be set up to attach filters to. For the receive path, a simple
Packit d3f73b 
.B ingress
Packit d3f73b 
qdisc will do, for transmit path a classful qdisc
Packit d3f73b 
.RB ( HTB
Packit d3f73b 
in this case) is necessary:
Packit d3f73b
Packit d3f73b 
.RS
Packit d3f73b 
.EX
Packit d3f73b 
tc qdisc replace dev eth0 root handle 1: htb
Packit d3f73b 
tc qdisc add dev eth0 ingress handle ffff:
Packit d3f73b 
.EE
Packit d3f73b 
.RE
Packit d3f73b
Packit d3f73b 
Finally, a filter with
Packit d3f73b 
.B pedit
Packit d3f73b 
action can be added for each direction. In this case,
Packit d3f73b 
.B u32
Packit d3f73b 
is used matching on the port number to redirect from, while
Packit d3f73b 
.B pedit
Packit d3f73b 
then does the actual rewriting:
Packit d3f73b
Packit d3f73b 
.RS
Packit d3f73b 
.EX
Packit d3f73b 
tc filter add dev eth0 parent 1: u32 \\
Packit d3f73b 
	match ip dport 23 0xffff \\
Packit d3f73b 
	action pedit pedit munge ip dport set 22
Packit d3f73b 
tc filter add dev eth0 parent ffff: u32 \\
Packit d3f73b 
	match ip sport 22 0xffff \\
Packit d3f73b 
	action pedit pedit munge ip sport set 23
Packit d3f73b 
tc filter add dev eth0 parent ffff: u32 \\
Packit d3f73b 
	match ip sport 22 0xffff \\
Packit d3f73b 
	action pedit ex munge ip dst set 192.168.1.199
Packit d3f73b 
tc filter add dev eth0 parent ffff: u32 \\
Packit d3f73b 
	match ip sport 22 0xffff \\
Packit d3f73b 
	action pedit ex munge ip6 dst set fe80::dacb:8aff:fec7:320e
Packit d3f73b 
tc filter add dev eth0 parent ffff: u32 \\
Packit d3f73b 
	match ip sport 22 0xffff \\
Packit d3f73b 
	action pedit ex munge eth dst set 11:22:33:44:55:66
Packit d3f73b 
tc filter add dev eth0 parent ffff: u32 \\
Packit d3f73b 
	match ip dport 23 0xffff \\
Packit d3f73b 
	action pedit ex munge tcp dport set 22
Packit d3f73b 
.EE
Packit d3f73b 
.RE
Packit d3f73b 
.SH SEE ALSO
Packit d3f73b 
.BR tc (8),
Packit d3f73b 
.BR tc-htb (8),
Packit d3f73b 
.BR tc-u32 (8)

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation