Tc Filter - Port Ranges Calculate Mask Value

i,

I need to support port ranges in tc filter rules.

I know how to formulate the rule but , I am not able to understand how
to calculate the mask value to segregate the port values that lie
within a perticular range .

I got the following sample

"tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip
sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from
6880 to 6895. "

This rule correctly matches port range from 6880 to 6895. But I am
unable to figure out , how the mask value 0x1ff0 has been calculated.

I am picking up port ranges from GUI. So the range can be any and I
need to calculte mask value so as to find out which ports lie within
the entered range.

Suppose user has entered the port range as 10 -20. Then what should be
the mask value corresponding to this range.

Please if you have any link, clue or reference material , do share it.

Thanking You
Anshul Makkar

On Mon, 22 Oct 2007 12:13:00 -0000, anshul makkar
<(E-Mail Removed)> wrote:

>i,
>
>I need to support port ranges in tc filter rules.
>
>I know how to formulate the rule but , I am not able to understand how
>to calculate the mask value to segregate the port values that lie
>within a perticular range .
>
>I got the following sample
>
>"tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip
>sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from
>6880 to 6895. "
>
>This rule correctly matches port range from 6880 to 6895. But I am
>unable to figure out , how the mask value 0x1ff0 has been calculated.
>
>I am picking up port ranges from GUI. So the range can be any and I
>need to calculte mask value so as to find out which ports lie within
>the entered range.
>
>Suppose user has entered the port range as 10 -20. Then what should be
>the mask value corresponding to this range.
>
>Please if you have any link, clue or reference material , do share it.
>
>Thanking You
>Anshul Makkar

I'm no expert, but I shall try here to give you a cookbook approach.

The first thing you must understand is that the values are powers of
2. Therefore I don't think that your example ports 10 through 20
above can be done with a single value/mask.

The beginning value of the port range is determined by the power of 2
value and the ending value is one less than the next power of 2 value.
Ignoring 1:
Port Range
2 - 3
4 - 7
8 - 15
16 - 31
32 - 63
64 - 127
128 - 255
Note that the hex value of each of the ending values ends with F.

Find the port in the above list and then convert the ENDING value to
hex. In the Bit Torrent example you cited, the ending value is 8191d
or 1FFF hex, That is the maximum mask value.

If you mask 1AE0h with 1FFFh, then only 1AE0h will match. To match
more ports, reduce the mask by the number of ports. Again in that Bit
Torrent example, the match covers 15 ports so the mask is reduced by
15d to 8176d or 1FF0h.

Hugely oversimplified, where the mask bit is a binary one, the
corresponding bit in the match value must also be a one in order for
the match to return TRUE. A zero in the mask value might be said to
"not matter" or "match regardless".

A rule that tries to match ports 10 through 20 must stop at 15 because
you pass the power of 2 boundary. 10d = 0Ah and the maximum mask is
15d = 0Fh. Reducing the mask by 6 (ports 10 through 15 amounts to 6
ports) leaves a mask value of 09.

I leave it to you to decide if
u32 match ip sport 0x0A 0x09
actually matches the port range from 10 through 15 or if you can
figure out a way to exlcude ports less than 10 by using a maximum mask
value of 1Fh.
--
buck

On Oct 23, 1:42 am, buck <b...@private.mil> wrote:
> On Mon, 22 Oct 2007 12:13:00 -0000, anshul makkar
>
>
>
> <anshulmak...@gmail.com> wrote:
> >i,
>
> >I need to support port ranges in tc filter rules.
>
> >I know how to formulate the rule but , I am not able to understand how
> >to calculate the mask value to segregate the port values that lie
> >within a perticular range .
>
> >I got the following sample
>
> >"tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip
> >sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from
> >6880 to 6895. "
>
> >This rule correctly matches port range from 6880 to 6895. But I am
> >unable to figure out , how the mask value 0x1ff0 has been calculated.
>
> >I am picking up port ranges from GUI. So the range can be any and I
> >need to calculte mask value so as to find out which ports lie within
> >the entered range.
>
> >Suppose user has entered the port range as 10 -20. Then what should be
> >the mask value corresponding to this range.
>
> >Please if you have any link, clue or reference material , do share it.
>
> >Thanking You
> >Anshul Makkar
>
> I'm no expert, but I shall try here to give you a cookbook approach.
>
> The first thing you must understand is that the values are powers of
> 2. Therefore I don't think that your example ports 10 through 20
> above can be done with a single value/mask.
>
> The beginning value of the port range is determined by the power of 2
> value and the ending value is one less than the next power of 2 value.
> Ignoring 1:
> Port Range
> 2 - 3
> 4 - 7
> 8 - 15
> 16 - 31
> 32 - 63
> 64 - 127
> 128 - 255
> Note that the hex value of each of the ending values ends with F.
>
> Find the port in the above list and then convert the ENDING value to
> hex. In the Bit Torrent example you cited, the ending value is 8191d
> or 1FFF hex, That is the maximum mask value.
>
> If you mask 1AE0h with 1FFFh, then only 1AE0h will match. To match
> more ports, reduce the mask by the number of ports. Again in that Bit
> Torrent example, the match covers 15 ports so the mask is reduced by
> 15d to 8176d or 1FF0h.
>
> Hugely oversimplified, where the mask bit is a binary one, the
> corresponding bit in the match value must also be a one in order for
> the match to return TRUE. A zero in the mask value might be said to
> "not matter" or "match regardless".
>
> A rule that tries to match ports 10 through 20 must stop at 15 because
> you pass the power of 2 boundary. 10d = 0Ah and the maximum mask is
> 15d = 0Fh. Reducing the mask by 6 (ports 10 through 15 amounts to 6
> ports) leaves a mask value of 09.
>
> I leave it to you to decide if
> u32 match ip sport 0x0A 0x09
> actually matches the port range from 10 through 15 or if you can
> figure out a way to exlcude ports less than 10 by using a maximum mask
> value of 1Fh.
> --
> buck


Excellent.

Thanks a lot !!.

Your explanation was really helpful.

Thanks a lot again !!

On Oct 23, 10:08 am, anshul makkar <anshulmak...@gmail.com> wrote:
> On Oct 23, 1:42 am, buck <b...@private.mil> wrote:
>
>
>
> > On Mon, 22 Oct 2007 12:13:00 -0000, anshul makkar
>
> > <anshulmak...@gmail.com> wrote:
> > >i,
>
> > >I need to support port ranges in tc filter rules.
>
> > >I know how to formulate the rule but , I am not able to understand how
> > >to calculate the mask value to segregate the port values that lie
> > >within a perticular range .
>
> > >I got the following sample
>
> > >"tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip
> > >sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from
> > >6880 to 6895. "
>
> > >This rule correctly matches port range from 6880 to 6895. But I am
> > >unable to figure out , how the mask value 0x1ff0 has been calculated.
>
> > >I am picking up port ranges from GUI. So the range can be any and I
> > >need to calculte mask value so as to find out which ports lie within
> > >the entered range.
>
> > >Suppose user has entered the port range as 10 -20. Then what should be
> > >the mask value corresponding to this range.
>
> > >Please if you have any link, clue or reference material , do share it.
>
> > >Thanking You
> > >Anshul Makkar
>
> > I'm no expert, but I shall try here to give you a cookbook approach.
>
> > The first thing you must understand is that the values are powers of
> > 2. Therefore I don't think that your example ports 10 through 20
> > above can be done with a single value/mask.
>
> > The beginning value of the port range is determined by the power of 2
> > value and the ending value is one less than the next power of 2 value.
> > Ignoring 1:
> > Port Range
> > 2 - 3
> > 4 - 7
> > 8 - 15
> > 16 - 31
> > 32 - 63
> > 64 - 127
> > 128 - 255
> > Note that the hex value of each of the ending values ends with F.
>
> > Find the port in the above list and then convert the ENDING value to
> > hex. In the Bit Torrent example you cited, the ending value is 8191d
> > or 1FFF hex, That is the maximum mask value.
>
> > If you mask 1AE0h with 1FFFh, then only 1AE0h will match. To match
> > more ports, reduce the mask by the number of ports. Again in that Bit
> > Torrent example, the match covers 15 ports so the mask is reduced by
> > 15d to 8176d or 1FF0h.
>
> > Hugely oversimplified, where the mask bit is a binary one, the
> > corresponding bit in the match value must also be a one in order for
> > the match to return TRUE. A zero in the mask value might be said to
> > "not matter" or "match regardless".
>
> > A rule that tries to match ports 10 through 20 must stop at 15 because
> > you pass the power of 2 boundary. 10d = 0Ah and the maximum mask is
> > 15d = 0Fh. Reducing the mask by 6 (ports 10 through 15 amounts to 6
> > ports) leaves a mask value of 09.
>
> > I leave it to you to decide if
> > u32 match ip sport 0x0A 0x09
> > actually matches the port range from 10 through 15 or if you can
> > figure out a way to exlcude ports less than 10 by using a maximum mask
> > value of 1Fh.
> > --
> > buck
>
> Excellent.
>
> Thanks a lot !!.
>
> Your explanation was really helpful.
>
> Thanks a lot again !!


Hi,
I tried to apply the above given logic on the range 49930 - 50175, but
it did'nt work.
2^16 = 65536.
65536 -1 = 65535 = 0xffff. = mask value

Now I need to match (50175 - 49930) = 245 = 0xF5 values.

Thus the modified mask value = 0xffff - 0xf5 = 0xff0a.

Now when I implemented the tc filter "u32 match ip sport 0xc30a
0xff0a", corrects ports were not matched.
Some ports outside the range were matched and some ports that were
inside the range did'nt match.

The above cited logic worked for 100 - 127, 8 - 15, 6880 - 6895, 5552
- 5567, but failed for 49930 - 50175 ranges..

I am not able to find out the reason for the failure for this
perticular range. If this is the case , then may be some other
parameters are there that also play a role in fomation of mask value ,
which we may be overlooking.

Please if you have any idea/hint , do share it.

Thanking You
Anshul Makkar

On Tue, 23 Oct 2007 12:10:21 -0000, anshul makkar
<(E-Mail Removed)> wrote:
>Hi,
>I tried to apply the above given logic on the range 49930 - 50175, but
>it did'nt work.
>2^16 = 65536.
>65536 -1 = 65535 = 0xffff. = mask value
>
>Now I need to match (50175 - 49930) = 245 = 0xF5 values.
>
>Thus the modified mask value = 0xffff - 0xf5 = 0xff0a.

This mask is problematic because it does not end with one or more
zeros. Mostly only port numbers ending with binary 1010 are going to
match. I'd like to replace "mostly" with "only" but the problem here
is that only ports where that rightmost 1 bit is set are going to
match your mask.

These are valid with u32. Ignore the hyphens, they are here so that
counting ones is easier:
1111-1111-0000-0000 = 0xFF00
1111-1111-1000-0000 = 0xFF80
1111-1111-1100-0000 = 0xFFC0
1111-1111-1110-0000 = 0xFFE0
1111-1111-1111-0000 = 0xFFF0
1111-1111-1111-1000 = 0xFFF8

If you set the mask to 0xFF00 then you will expand the port range
beyond what you want. If you set it to 0xff80 the opposite... But
both of these masks IN BINARY switch from a string of contiguous ones
to a string of contiguous zeros, and that is what works for a u32
match.

If you Just Gotta Have the specified port range, think about marking
your desired port range with iptables and then set your tc match to
match the mark. Perhaps 2 filter lines will accomplish what you want.

I am not able to find it now, but there was recently in the LARTC
mailing list a link to an excellent write up for filters. Maybe this
is it: http://www.stuart.id.au/russell/file...tc/cls_u32.txt
--
buck