Packet meta class applied, but captured VLAN priority is wrong
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
My linux home router sits between my ISP (Orange) and my home network.
On the WAN side, Orange provide internet in a VLAN tagged 832.
Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
- VLAN priority = 6
- IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)
First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.
Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
me@debox:~$ sudo /usr/sbin/nft list ruleset
table inet fltr46
chain assign-orange-prio
ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180
chain postrouting
type filter hook postrouting priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
chain output
type filter hook output priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
table arp arp4
chain output
type filter hook output priority 0; policy accept;
oifname ! "enp1s0.832" accept
meta priority set 0:6 counter packets 851 bytes 35742
My vlan 832 configuration is as follows:
me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832
enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
Device: enp1s0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings: 6:6
Which means, for egress, class 6 packets -> VLAN prio 6.
The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
However, I notice problems in my wire shark capture (done by swich port mirroring):
- DHCPv6: OK. DSCP = CS6 and VLAN prio = 6
- ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0
- ARP: not OK. VLAN prio = 0
- IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).
VLAN priority is not applied correctly to ARP and ICMPv6 packets.
Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
for ARP and ICMPv6 messages generated by the linux kernel?
vlan netfilter
add a comment |Â
up vote
0
down vote
favorite
My linux home router sits between my ISP (Orange) and my home network.
On the WAN side, Orange provide internet in a VLAN tagged 832.
Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
- VLAN priority = 6
- IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)
First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.
Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
me@debox:~$ sudo /usr/sbin/nft list ruleset
table inet fltr46
chain assign-orange-prio
ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180
chain postrouting
type filter hook postrouting priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
chain output
type filter hook output priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
table arp arp4
chain output
type filter hook output priority 0; policy accept;
oifname ! "enp1s0.832" accept
meta priority set 0:6 counter packets 851 bytes 35742
My vlan 832 configuration is as follows:
me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832
enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
Device: enp1s0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings: 6:6
Which means, for egress, class 6 packets -> VLAN prio 6.
The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
However, I notice problems in my wire shark capture (done by swich port mirroring):
- DHCPv6: OK. DSCP = CS6 and VLAN prio = 6
- ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0
- ARP: not OK. VLAN prio = 0
- IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).
VLAN priority is not applied correctly to ARP and ICMPv6 packets.
Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
for ARP and ICMPv6 messages generated by the linux kernel?
vlan netfilter
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
My linux home router sits between my ISP (Orange) and my home network.
On the WAN side, Orange provide internet in a VLAN tagged 832.
Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
- VLAN priority = 6
- IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)
First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.
Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
me@debox:~$ sudo /usr/sbin/nft list ruleset
table inet fltr46
chain assign-orange-prio
ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180
chain postrouting
type filter hook postrouting priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
chain output
type filter hook output priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
table arp arp4
chain output
type filter hook output priority 0; policy accept;
oifname ! "enp1s0.832" accept
meta priority set 0:6 counter packets 851 bytes 35742
My vlan 832 configuration is as follows:
me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832
enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
Device: enp1s0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings: 6:6
Which means, for egress, class 6 packets -> VLAN prio 6.
The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
However, I notice problems in my wire shark capture (done by swich port mirroring):
- DHCPv6: OK. DSCP = CS6 and VLAN prio = 6
- ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0
- ARP: not OK. VLAN prio = 0
- IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).
VLAN priority is not applied correctly to ARP and ICMPv6 packets.
Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
for ARP and ICMPv6 messages generated by the linux kernel?
vlan netfilter
My linux home router sits between my ISP (Orange) and my home network.
On the WAN side, Orange provide internet in a VLAN tagged 832.
Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
- VLAN priority = 6
- IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)
First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.
Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
me@debox:~$ sudo /usr/sbin/nft list ruleset
table inet fltr46
chain assign-orange-prio
ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180
chain postrouting
type filter hook postrouting priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
chain output
type filter hook output priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio
table arp arp4
chain output
type filter hook output priority 0; policy accept;
oifname ! "enp1s0.832" accept
meta priority set 0:6 counter packets 851 bytes 35742
My vlan 832 configuration is as follows:
me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832
enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
Device: enp1s0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings: 6:6
Which means, for egress, class 6 packets -> VLAN prio 6.
The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
However, I notice problems in my wire shark capture (done by swich port mirroring):
- DHCPv6: OK. DSCP = CS6 and VLAN prio = 6
- ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0
- ARP: not OK. VLAN prio = 0
- IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).
VLAN priority is not applied correctly to ARP and ICMPv6 packets.
Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
for ARP and ICMPv6 messages generated by the linux kernel?
vlan netfilter
vlan netfilter
asked 46 secs ago
Strangelovian
1438
1438
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479796%2fpacket-meta-class-applied-but-captured-vlan-priority-is-wrong%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password