0

How can tc be used to match a particular payload of an ingress packet, e.g., if the first 32 bits of payload of an IP/UDP packet are equal to some constant $c, the value $c should be changed to $d? This should work in particular for variable length IP headers.

It appears that the u32 filter should be able to perform the matching. Is the following attempt correct? I am not sure about the nexthdr part in particular.

tc filter add dev protocol ip parent ffff: u32 match $c 0xffffffff at nexthdr+8

Now pedit can be used to change the packet but I don't see a way to write $d in the UDP payload of a packet with variable length IP header.

Any help is appreciated.

Improve this question

1 Answer 1

Reset to default
0

It seems that we can use IP address notation even if things are actually not related to IP address. For example, this worked:

tc filter add dev eth0 parent 1: u32 match ip src 64.0.0.0/4 at 0 action pedit pedit munge offset 0 u8 set 0x10 retain 0xf0 continue

This specifies source address 64.0.0.0/4 at 0, which actually mean 0x40000000/0xf0000000, matching any IPv4 packets. Then it changes the version number to 1 (which naturally discarded as invalid).

Improve this answer
3
  • But did you solve OP's problem? match UDP payload (not IP header) and then rewrite it? I can't find how it solves it. Commented Apr 28, 2024 at 14:37
  • Oh, sorry, my answer is not working then... The man page of tc-pedit (man7.org/linux/man-pages/man8/tc-pedit.8.html) says that we should use syntax like at AT offmask MASK shift SHIFT, but I found that this cannot be parsed and we may have to write like at AT MASK SHIFT, which actually passed parsing. But even then it didn't work (maybe shift is broken). So I think we may have to assume IP header length (as 20 bytes)... I'm sorry again for my wrong answer. Commented Apr 29, 2024 at 15:22
  • man7.org/linux/man-pages/man8/tc-u32.8.html nexthdr+ only works with hash table mechanism, indicated in the man page of tc-u32. Unlike tc-pedit, I confirmed this working correctly. Commented Apr 29, 2024 at 15:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.