On 16-08-30 06:31 AM, Jesper Dangaard Brouer wrote:

On Tue, 30 Aug 2016 08:13:15 -0400 Jamal Hadi Salim [off-list ref] wrote:

quoted

On 16-08-29 11:55 AM, Jesper Dangaard Brouer wrote:

quoted

tc filter add dev mlx5p2 parent ffff: prio 4 protocol ip u32 match ip protocol 17 0xff match udp dst 9 0xffff flowid 1:1 action  

Syntax is a little more convoluted  than that ;->. Try:

sudo tc filter add dev eth0 parent ffff: prio 4 protocol ip u32 \
match ip protocol 17 0xff \
match ip dport 1900 0xffff \
flowid 1:1 \
action drop

I think I figured out why, match "udp dst" does not work.  It seems to
depend on "nexthdr+0" which is an implicit variable, that for unknown
reasons are not set in my original rule (above).

Before you suggestion I managed to match the udp port by manually
defining the offset, assuming an IP-header is 20 bytes (no-options),
like:

tc filter add dev $device parent ffff: prio 4 protocol ip \
	u32 \
	match ip protocol 17 0xff \
	match udp dst $udp_port 0xffff at 21\
	flowid 1:1 \
	action drop

You solution with "ip dport" also works, but man[1] tc-u32(8) also have
a warning about "ip dport" size assumptions...

Updated my script to use "u32 match ip port":
 https://github.com/netoptimizer/network-testing/commit/6449f6beb4d2

FWIW the 'udp dst' notation is quit fragile in that it only reads an
offset into the packet where a udp dst port might be. More robust
solutions require the use of links.

I have a wrapper tool around the 'link' creation part of u32 that we
can probably show off at netconf. :)

quoted

Note, this will be more cycles than drop all.

Yes, that is the point ;-) XDP also does header parsing...