layer7 protocol rules never match any packets

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
View previous topic :: View next topic  
Author Message
liblit
DD-WRT Novice


Joined: 07 Jul 2012
Posts: 2
PostPosted: Sat Jul 07, 2012 20:06    Post subject: layer7 protocol rules never match any packets Reply with quote
I am using DD-WRT v24-sp2 (03/19/12) std (SVN revision 18777) installed on a D-Link DIR-825 rev. B1 router. I've enabled QoS in the web GUI, and added a "Services Priority" entry for service name "ssh" with priority "Express".

Unfortunately, inspecting "/proc/net/ip_conntrack" on the router shows that this rule is not being applied. Sad All SSH-related connections are listed with "mark=0". Running "iptables -t mangle -L -v" shows that the "FILTER_IN" and "FILTER_OUT" chains each have a rule added that ought to match the SSH protocol, but that the packet counts matched by these rules remain at 0:

Quote:
pkts bytes target prot opt in out source destination
...
0 0 MARK 0 -- any any anywhere anywhere LAYER7 l7proto ssh MARK set 0x14


I also notice a similar rule on the "FILTER_OUT" chain that ought to be matching DNS traffic. It too has a packet count of 0, showing that it never matched anything:

Quote:
pkts bytes target prot opt in out source destination
...
0 0 MARK 0 -- any any anywhere anywhere LAYER7 l7proto dns MARK set 0xe


As a sanity check, I used the web GUI to define my own service corresponding to any TCP on port 22. Idea This resulted in two rules added to both the "FILTER_IN" and "FILTER_OUT" chains:

Quote:
pkts bytes target prot opt in out source destination
...
82 8429 MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x14
61 7097 MARK tcp -- any any anywhere anywhere tcp spt:ssh MARK set 0x14


Notice here that the packet counts (1st column) are nonzero, showing that these rules did match some packets. So the iptables "mangle" tables are being used, but it seems that the "LAYER7 l7proto" rules are just not matching anything, ever.

What's going wrong here? How can I debug this further? Any hints would be much appreciated. Question
Back to top View user's profile Send private message
Sponsor
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada
PostPosted: Sun Jul 08, 2012 8:34    Post subject: Reply with quote
I have already worked(reported) this with markus, it should be fixed next release.
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55797 std
[QUALCOMM] DIR-862L --------------------------------> r55797 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Back to top View user's profile Send private message
liblit
DD-WRT Novice


Joined: 07 Jul 2012
Posts: 2
PostPosted: Mon Jul 09, 2012 14:58    Post subject: Reply with quote
Quote:
it should be fixed next release


Great, thank you! Can you give any more info, just to satisfy my curiosity (and impatience)? Is there a tracker bug for this? A commit I could look at? A suggested workaround in the meantime?
Back to top View user's profile Send private message
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada
PostPosted: Mon Jul 09, 2012 18:16    Post subject: Reply with quote
http://svn.dd-wrt.com/changeset/19379 & several other QoS fixes after it.
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55797 std
[QUALCOMM] DIR-862L --------------------------------> r55797 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Back to top View user's profile Send private message
DocMAX
DD-WRT Novice


Joined: 17 Jun 2012
Posts: 13
PostPosted: Sun Dec 23, 2012 8:11    Post subject: Reply with quote
still doesnt work on 90% of all l7proto layers!
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum