Packet meta class applied, but captured VLAN priority is wrong

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












My linux home router sits between my ISP (Orange) and my home network.
On the WAN side, Orange provide internet in a VLAN tagged 832.



Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
- VLAN priority = 6
- IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)



First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.



Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
me@debox:~$ sudo /usr/sbin/nft list ruleset



table inet fltr46 
chain assign-orange-prio
ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180


chain postrouting
type filter hook postrouting priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio


chain output
type filter hook output priority 0; policy accept;
oifname vmap "enp1s0.832" : goto assign-orange-prio


table arp arp4
chain output
type filter hook output priority 0; policy accept;
oifname ! "enp1s0.832" accept
meta priority set 0:6 counter packets 851 bytes 35742




My vlan 832 configuration is as follows:



me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832 
enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
Device: enp1s0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings: 6:6


Which means, for egress, class 6 packets -> VLAN prio 6.



The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
However, I notice problems in my wire shark capture (done by swich port mirroring):



  • DHCPv6: OK. DSCP = CS6 and VLAN prio = 6

  • ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0

  • ARP: not OK. VLAN prio = 0

  • IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).

VLAN priority is not applied correctly to ARP and ICMPv6 packets.
Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
for ARP and ICMPv6 messages generated by the linux kernel?









share

























    up vote
    0
    down vote

    favorite












    My linux home router sits between my ISP (Orange) and my home network.
    On the WAN side, Orange provide internet in a VLAN tagged 832.



    Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
    - VLAN priority = 6
    - IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)



    First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
    So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.



    Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
    me@debox:~$ sudo /usr/sbin/nft list ruleset



    table inet fltr46 
    chain assign-orange-prio
    ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
    icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
    udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180


    chain postrouting
    type filter hook postrouting priority 0; policy accept;
    oifname vmap "enp1s0.832" : goto assign-orange-prio


    chain output
    type filter hook output priority 0; policy accept;
    oifname vmap "enp1s0.832" : goto assign-orange-prio


    table arp arp4
    chain output
    type filter hook output priority 0; policy accept;
    oifname ! "enp1s0.832" accept
    meta priority set 0:6 counter packets 851 bytes 35742




    My vlan 832 configuration is as follows:



    me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832 
    enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
    Device: enp1s0
    INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
    EGRESS priority mappings: 6:6


    Which means, for egress, class 6 packets -> VLAN prio 6.



    The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
    However, I notice problems in my wire shark capture (done by swich port mirroring):



    • DHCPv6: OK. DSCP = CS6 and VLAN prio = 6

    • ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0

    • ARP: not OK. VLAN prio = 0

    • IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).

    VLAN priority is not applied correctly to ARP and ICMPv6 packets.
    Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
    for ARP and ICMPv6 messages generated by the linux kernel?









    share























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      My linux home router sits between my ISP (Orange) and my home network.
      On the WAN side, Orange provide internet in a VLAN tagged 832.



      Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
      - VLAN priority = 6
      - IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)



      First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
      So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.



      Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
      me@debox:~$ sudo /usr/sbin/nft list ruleset



      table inet fltr46 
      chain assign-orange-prio
      ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
      icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
      udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180


      chain postrouting
      type filter hook postrouting priority 0; policy accept;
      oifname vmap "enp1s0.832" : goto assign-orange-prio


      chain output
      type filter hook output priority 0; policy accept;
      oifname vmap "enp1s0.832" : goto assign-orange-prio


      table arp arp4
      chain output
      type filter hook output priority 0; policy accept;
      oifname ! "enp1s0.832" accept
      meta priority set 0:6 counter packets 851 bytes 35742




      My vlan 832 configuration is as follows:



      me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832 
      enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
      Device: enp1s0
      INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
      EGRESS priority mappings: 6:6


      Which means, for egress, class 6 packets -> VLAN prio 6.



      The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
      However, I notice problems in my wire shark capture (done by swich port mirroring):



      • DHCPv6: OK. DSCP = CS6 and VLAN prio = 6

      • ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0

      • ARP: not OK. VLAN prio = 0

      • IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).

      VLAN priority is not applied correctly to ARP and ICMPv6 packets.
      Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
      for ARP and ICMPv6 messages generated by the linux kernel?









      share













      My linux home router sits between my ISP (Orange) and my home network.
      On the WAN side, Orange provide internet in a VLAN tagged 832.



      Some control messages (ARP, DHCP, ICMPv6 "router discovery" types, DHCPv6) need to be replied to Orange with:
      - VLAN priority = 6
      - IPv4 or IPv6 DSCP = "CS6" (6 bits 0x30, or 48 in decimal notation)



      First problem, for the boot sequence DHCP v4 messages, isc-dhclient needs to use a raw ethernet packet socket, which bypass the linux kernel IP stack by design.
      So one cannot use netfilter to assign IPv4 DSCP or Meta Class, but let's leave that aside for now.



      Here's a dump of my nftables configuration, relevant to the alteration of IP DSCP and Meta Priority:
      me@debox:~$ sudo /usr/sbin/nft list ruleset



      table inet fltr46 
      chain assign-orange-prio
      ip version 4 udp sport bootps, bootpc ip dscp set cs6 meta priority set 0:6 counter packets 0 bytes 0 comment "isc-dhclient LPF socket bypass netfilter"
      icmpv6 type nd-neighbor-solicit, nd-router-solicit ip6 dscp set cs6 meta priority set 0:6 counter packets 8 bytes 480
      udp sport dhcpv6-client, dhcpv6-server ip6 dscp set cs6 meta priority set 0:6 counter packets 4 bytes 1180


      chain postrouting
      type filter hook postrouting priority 0; policy accept;
      oifname vmap "enp1s0.832" : goto assign-orange-prio


      chain output
      type filter hook output priority 0; policy accept;
      oifname vmap "enp1s0.832" : goto assign-orange-prio


      table arp arp4
      chain output
      type filter hook output priority 0; policy accept;
      oifname ! "enp1s0.832" accept
      meta priority set 0:6 counter packets 851 bytes 35742




      My vlan 832 configuration is as follows:



      me@debox:~$ sudo cat /proc/net/vlan/enp1s0.832 
      enp1s0.832 VID: 832 REORDER_HDR: 1 dev->priv_flags: 1001
      Device: enp1s0
      INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
      EGRESS priority mappings: 6:6


      Which means, for egress, class 6 packets -> VLAN prio 6.



      The nftables counters for DHCPv6, ICMPv6 "router", and ARP are incremented, as expected.
      However, I notice problems in my wire shark capture (done by swich port mirroring):



      • DHCPv6: OK. DSCP = CS6 and VLAN prio = 6

      • ICMPv6: not OK. DSCP = CS6 but VLAN prio = 0

      • ARP: not OK. VLAN prio = 0

      • IPv4 DHCP lease renewal packets, sent through a regular UDP socket, are also OK (DSCP+VLAN prio).

      VLAN priority is not applied correctly to ARP and ICMPv6 packets.
      Is there a way to debug further why the meta class does not translate correctly to VLAN prio,
      for ARP and ICMPv6 messages generated by the linux kernel?







      vlan netfilter





      share












      share










      share



      share










      asked 46 secs ago









      Strangelovian

      1438




      1438

























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479796%2fpacket-meta-class-applied-but-captured-vlan-priority-is-wrong%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479796%2fpacket-meta-class-applied-but-captured-vlan-priority-is-wrong%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?