# "see" packet mark by linux



## vlad2005 (Aug 26, 2009)

It's posibil to filter packets that are mark by an linux server?
Maybe in version 8 something?


----------



## DutchDaemon (Aug 26, 2009)

pf.conf(5)

Look for 'set fingerprints'.

Then look at pf.os(5) and /etc/pf.os.


----------



## aragon (Aug 26, 2009)

vlad, it depends how the linux system is marking the packets.  If it's using TOS then yes, pf and ipfw can both see TOS.  I don't think DSCP is supported by either yet, but I've seen it discussed.

If you're marking with the iptables --set-mark option, then no, that won't be visible by FreeBSD or any other host outside the linux machine that set it.  Those "marks" don't get added to the packet.



			
				DutchDaemon said:
			
		

> Look for 'set fingerprints'.
> 
> Then look at pf.os(5) and /etc/pf.os.


This will only work if the linux server is originating the packets, in which case you can probably just as well use the machine's IP address...


----------



## DutchDaemon (Aug 27, 2009)

You might need fingerprinting to find that IP address .. unless you know all machines connecting to your machine already. Anyway, I guess I misunderstood the context of 'marking'. Is that something like tagging?


----------



## vivek (Aug 27, 2009)

I don't think so marking is like pf tagging. The mark only works with the mangle table. In other words it only works with routing and will not work outside the mangle table.  It is used for queue disciplines and routing purpose. 

Also, pf fingerprinting is not accurate.


----------



## vlad2005 (Aug 27, 2009)

Thanks all for reply!
Now, my ISP say that packet will come to me marked, so I think that it's used TOS. I understand that packets marked in linux with --set-mark, is visible only to that machine, because packet is not modified (marked at kernel level).
I don't know how help me fingerprints, because I'm not interested to find from which OS come packets.
I need to make some shaping, based on how packet it's marked.
So aragon, how can filter marked packets using ipfw, because already I'm using this firewall?


----------



## aragon (Aug 27, 2009)

vlad2005 said:
			
		

> So aragon, how can filter marked packets using ipfw, because already I'm using this firewall?


Quoted from ipfw(8):


```
iptos spec
             Matches IPv4 packets whose tos field contains the comma separated
             list of service types specified in spec.  The supported IP types
             of service are:

             lowdelay (IPTOS_LOWDELAY), throughput (IPTOS_THROUGHPUT),
             reliability (IPTOS_RELIABILITY), mincost (IPTOS_MINCOST),
             congestion (IPTOS_ECN_CE).  The absence of a particular type may
             be denoted with a `!'.
```

And also of interest from ipfw(8):


```
ipprecedence precedence
             Matches IPv4 packets whose precedence field is equal to
             precedence.
```

So something like this:


```
ipfw add 1000 allow ip from any to any iptos lowdelay
```

Would match packets with TOS set to 0x10.


----------



## vlad2005 (Aug 28, 2009)

Ok, after some discussion with my provider, seem that packets are marked for DiffServ classes. (AF classes)
For instance, in linux I can filter packets with something like this:
iptables -A INPUT -m tos --dscp-class AF11, 
or
iptables -A INPUT -m tos --dscp 10
(10 it's decimal value that correspond to AF11 class)

I don't know how can do that in freebsd?


----------



## aragon (Aug 28, 2009)

DSCP is backward compatible with TOS and Precedence fields.  Have a look here for some info on the topic.

If your case this should work:


```
ipfw add 1000 permit ip from any to any ipprecedence 1 iptos !lowdelay,throughput,!reliability,!mincost,!congestion
```

Never tried this myself, so let us know how it goes.


----------



## vlad2005 (Aug 28, 2009)

I understand that dscp for AF11 correspond to ipprecedence equal with 1 and dscp with AF21 correspond to ipprecedence equal with 2.
This can be enough to separate packets based on AF11 respectively AF 21. So, rules like this can be enough

```
ipfw add 1000 skipto 5000 ip from any to any ipprecedence 1
ipfw add 1001 skipto 6000 ip from any to any ipprecedence 2
```
That it's right?


----------



## aragon (Aug 28, 2009)

Yea, that will separate AF11 from AF21, but it won't separate AF11 from CS1, AF12 and AF13, or AF21 from CS2, AF22 and AF23.


----------



## vlad2005 (Aug 28, 2009)

My packets, are marked with AF11 and AF21, and for these need to make some shaping. Anyway, this is an emergency solution. I speak with Marcelo Araujo, that make an patch for ipfw which implement filter based on dscp value. If someone it's interested, the patch it's attached to this post. When I finish, will post result.


----------



## aragon (Aug 28, 2009)

That might be a nice feature to have.  Has it been PR'd?


----------



## vlad2005 (Aug 28, 2009)

Sorry, but what mean "PR'd"?


----------



## aragon (Aug 28, 2009)

PR is short for Problem Report.  It is the FreeBSD bug submission term, but it is also used for submitting patches that improve functionality of FreeBSD.

http://www.freebsd.org/support.html

Take a look at that page.  If you submit a PR with your patch attached, it stands the chance of being pulled into FreeBSD as an included feature.


----------



## vlad2005 (Aug 28, 2009)

Maybe, this can be leave at decision of who make the patch.


----------



## overmind (Aug 30, 2009)

I've tried the patch, is not working. Error at compile and my poor C unix programming knowledge does not help. If anybody make the patch to apply and then compile ipfw utility and kernel module, then please post the patch (for FreeBSD 7.2 if possible.

thank you and best regards


----------



## vlad2005 (Aug 30, 2009)

I tried for freebsd 7.1 and work, but not recognise option dscp (where it's my interest). I write to author of this patch and wait. 
Today I work to find where it's the problem that, but I'm stuck to some problems. Anyway, i think that need to compile module and binary for ipfw, or recompile entire kernel.
For moment i don't have any good news, so if i make some progress will post on this topic.


----------



## aragon (Aug 30, 2009)

vlad, have you got it working with ipprecedence and/or iptos options?


----------



## vlad2005 (Aug 31, 2009)

It's what u suggest in an previous post?
I try'it right now, but give me an error

```
freebsd# ipfw add 20 count ip from any to any ipprecedence 1 iptos !lowdelay,throughput,!reliability,!mincost,!congestion
lowdelay,throughput,!reliability,!mincost,!congestion: Event not found.
```
Anyway, i finished to work with patch, and seem to be ok.
But if u have an idea about how work with your suggestion, will be ok.


----------



## aragon (Aug 31, 2009)

You need to escape the ! with \.


```
ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,\!mincost,\!congestion
```

Or use single quotes


```
ipfw add 20 count ip from any to any ipprecedence 1 iptos '!lowdelay,throughput,!reliability,!mincost,!congestion'
```


----------



## vlad2005 (Aug 31, 2009)

Command work with escape, but i don't know how exactly to use in my case.
So supposing that i need to count packets with DSCP equal with AF11
First i use the patched kernel to modify the packet

```
ipfw add 10 modip dscp:AF11 ip from any to any
```

Then i try to intercept these packets. According with what i read, this seam to be like this.

```
ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,mincost,\!congestion
```

But rule 20, don't capture anything. Maybe it's wrong sequence for iptos argument.
Anyway, testing with improvement from patch, give desired result.

```
ipfw add 20 count ip from any to any dscp AF11
```

Show command from ipfw look ok.

```
freebsd# ipfw show
00010  959 82291 modip dscp:AF11 ip from any to any
00020   24  1584 count ip from any to any dscp AF11
65535 1099 92987 allow ip from any to any
```


----------



## aragon (Aug 31, 2009)

vlad2005 said:
			
		

> Then i try to intercept these packets. According with what i read, this seam to be like this.
> 
> ```
> ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability,mincost,\!congestion
> ```


Should be !mincost.


----------



## aragon (Aug 31, 2009)

BTW, you shouldn't need modip.  That is what your ISP would use.


----------



## vlad2005 (Aug 31, 2009)

Hi!
Yes, it' work. That is an good news, for those who don't want to patch kernel.
A know that packets are modified by ISP, but with modip, i make modification, and packets are passed again to firewall, so can be tested.
Now, i don't understand, why mincost bit need to be 0? Or when need to be 0 or 1?


----------



## aragon (Aug 31, 2009)

Glad it worked!



			
				vlad2005 said:
			
		

> Now, i don't understand, why mincost bit need to be 0? Or when need to be 0 or 1?


I think your ISP won't set this bit so rather have ipfw match on it being 0.  Otherwise, excluding those last two bits from the match might be more correct:


```
ipfw add 20 count ip from any to any ipprecedence 1 iptos \!lowdelay,throughput,\!reliability
```

I haven't delved much into DSCP, but it looks like those last two bits aren't used.  My guess is your ISP will either set them to 0 or not modify them from what they receive from upstream.


----------



## vlad2005 (Aug 31, 2009)

Ok, now it's ok.
I'm glad to see that this discussion is finished with good results.
Anyway, it's elegant solution with patch, because an rule like this

```
ip from any to any dscp AF11
```
is more readable for many people, and additionally can benefit from possibility to modify packets. In this case have with ipfw same possibilities like iptables in linux. That it's an good opportunity for freebsd users.
I work to finnish patch for freebsd 7.1 because i have an modification from version of Marcelo Araujo, and then i make an patch to freebsd 7.2 because in that version are some changes with ipfw file structure from version 7.1.
All patches will be post on this forum.
Thanks aragon for your support!


----------



## aragon (Aug 31, 2009)

You're welcome.


----------



## vlad2005 (Aug 31, 2009)

Patch it's ready. Work with kernel for freebsd 7.1 release.
Need to have kernel source installed in /usr/src.
For who want to test'it as module, then need to compile module and binary for ipfw. 
Copy patch to /usr/src and apply:

```
#cd /usr/src
#patch < ipfw-modip20090901.diff
```
In next step need to copy an file that it's used when compile ipfw. That is very important, so don't miss.

```
cp /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/ip_fw.h
```
Compile module and binary for ipfw:

```
#cd /usr/src/sys/modules/ipfw/
#make && make install && make clean && make cleandir
#cd /usr/src/sbin/ipfw
#make && make install && make clean && make cleandir
```
Then load ipfw module

```
#kldload ipfw
```
For testing, have example in this post.
If need dummynet, then need to compile ipfw in kernel. Not work as module.
So put necessarily options in kernel, compile and then compile binary for ipfw like it's explained before. Reboot and must work.
Now can filter packets based on dscp value, or change packets. U can change ipprecedence, tos, dscp and df.


----------



## vlad2005 (Aug 31, 2009)

I finished and patch version for freebsd 7.2.
Tested and worked. same steps as described before.

Note.
When compile ipfw modules, edit Makefile from /usr/src/sys/modules/ipfw and uncomment line that configure firewall default to accept.

```
CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
```
Otherwise will be blocked by firewall when load ipfw.


----------



## vlad2005 (Sep 29, 2009)

An user reported that "modip:tos" give an error when it's used, so i put here new patch's for 7.1 and 7.2, that resolve this issue.


----------



## WrEtCh (Oct 24, 2011)

*modip for FreeBSD 8.2*

I am very interested about this patch, however, I work on FreeBSD 8.1 and 8.2. I am writing this post asking if anybody can make the patch to apply and then compile ipfw for FreeBSD version 8.1 and 8.2. 

Thank you in advance and best regards.


----------

