TC Filter With BPF and NFTables Packet Marking

1

I made a TC BPF ingress program and I want it to process specific packets only marked by NFTables. Here's my NFTables table that marks the specific packets:

table ip compressor_tc {
        chain prerouting {
                type nat hook prerouting priority -99; policy accept;
                ip daddr 10.50.0.3 tcp dport != ssh mark set 0x00000007
                ip saddr 10.50.0.4 udp dport 1337 mark set 0x00000008
        }
}

I created the qdisc via:

tc qdisc add dev ens18 root handle 1: prio

Now, I am trying to attach the TC BPF program along with applying it only to marked packets (in this case, marked as 7):

tc filter add dev ens18 parent 1:0 prio 1 handle 7 fw flowid 1:1 bpf obj testBPF_Prog.o section test

However, I receive the following:

root@test02:/home/dev/CompressorV2_TC/src# tc filter add dev ens18 parent 1:0 prio 1 handle 7 fw flowid 1:1 bpf obj testBPF_Prog.o section test
What is "bpf"?
Usage: ... fw [ classid CLASSID ] [ indev DEV ] [ action ACTION_SPEC ]
       CLASSID := Push matching packets to the class identified by CLASSID with format X:Y
                  CLASSID is parsed as hexadecimal input.
       DEV := specify device for incoming device classification.
       ACTION_SPEC := Apply an action on matching packets.
       NOTE: handle is represented as HANDLE[/FWMASK].
             FWMASK is 0xffffffff by default.

If I do:

tc filter add dev ens18 parent 1:0 bpf obj testBPF_Prog.o section test

The TC BPF program attaches fine, but it scans all packets. If I do:

tc filter add dev ens18 parent 1:0 prio 1 handle 7 fw flowid 1:1

This doesn't output any errors, but the BPF program isn't attached.

It seems to me like the TC program doesn't know when the fw parameter ends. Therefore, it thinks the bpf parameter is a part of the fw parameter.

I'm wondering if it's possible to separate these statements and if so, will this achieve what I'm trying to do? I've been looking at documentation online, but haven't found any way to do this.

I'm doing this on an Ubuntu 18.04 LTS VM with kernel 5.6.1-050601-generic.

I'm fairly new to TC filter. Therefore, I apologize if I'm missing something obvious.

Any help is highly appreciated and thank you for your time!

tc
filter
asked on Server Fault May 16, 2020 by Christian Deacon

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0