tc syntax for dropping packet (ingress/egress filtering)

[ml70]

According to this https://blog.cloudflare.com/how-to-drop-10-million-packets/ dropping ingress packets with tc should be easy peasy, but I just can't figure out the proper syntax for Asus (AC-66 2.6.22.19 #1 Mon Sep 12 19:17:46 MST 2016 mips GNU/Linux) version of tc.

As a test I'm trying to drop packets with tcp rst bit set, but nothing much happens even with police drop syntax, should the ingress qdisc be rather attached to vlan1 ? But no success with either.

$ tc qdisc add dev ppp0 ingress
$ tc -s -d qdisc show dev ppp0
qdisc ingress ffff: parent ffff:fff1 ----------------
 Sent 112206402 bytes 594027 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
$ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: action drop
RTNETLINK answers: Operation not supported
We have an error talking to the kernel
$ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: police drop
$

I've tried about a thousand variations with different devices and options so any help would be very welcome.

Even trying a very simple filter trying to match all tcp packets doesn't produce anything resembling hits

$ tc filter add dev ppp0 parent ffff: prio 111 protocol ip u32 match ip protocol 0x6 0xff flowid ffff: police drop
$ tc -s -d filter show dev ppp0 parent ffff:
filter protocol ip pref 111 u32
filter protocol ip pref 111 u32 fh 80c: ht divisor 1
filter protocol ip pref 111 u32 fh 80c::800 order 2048 key ht 80c bkt 0 flowid ffff:
  match 00060000/00ff0000 at 8
 police 0x1a rate 0bit burst 0b mtu 4096Mb action drop
ref 0 bind 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

There's very little google help regarding tc to begin with, and it's all the more frustrating that Asus throws errors with many of the found examples.

Now WHY use tc when doing this would be dead simple with iptables, well see Cloudflare's blog entry showing tc being 300% faster than iptables at dropping packets.

 

[eibgrad]

Not sure what the problem is, but that's one interesting document. It's a keeper!

 

[ColinTaylor]

Now WHY use tc when doing this would be dead simple with iptables, well see Cloudflare's blog entry showing tc being 300% faster than iptables at dropping packets.

But they got similar speeds using PREROUTING, so maybe that's an option.

Apart from academic interest is there any practical reason you want to do this?

 

[ml70]

Apart from academic interest is there any practical reason you want to do this?

Just want to learn more tc, especially for filtering. As far as I understand it can also be used for layer 2 packets so it's more versatile than netfilter. And dropping resets is about the least intrusive example, nothing's going to break badly.

Unfortunately the version on Asus is like banging head to the wall, almost none of the examples I can find work as such, and the internal help isn't very helpful either:

$ tc filter add dev ppp0 parent ffff: prio 101 protocol ip u32 match ip protocol 0x6 0xff match u8 0x05 0x0f at 0 match u8 0x04 0x04 at 33 flowid ffff: action ?
bad action type ?
Usage: ... gact <ACTION> [RAND] [INDEX]
Where: ACTION := reclassify | drop | continue | pass RAND := random <RANDTYPE> <ACTION> <VAL>RANDTYPE := netrand | determVAL : = value not exceeding 10000INDEX := index value used
bad action parsing
parse_action: bad value (1:?)!
Illegal "action"

When making a complete rule with police drop instead of action drop I can see the syntax involves "gact" somehow, but been unable to piece the syntax together. Just too cryptic for my meager skills.