From a787d9ae10e54952213cf889260d994cd84f70ef Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Thu, 4 Nov 2021 16:42:05 +0200 Subject: [PATCH] man: tc-u32: Fix page to match new firstfrag behavior Commit 690b11f4a6b8 ("tc: u32: Fix firstfrag filter.") applied in 2012 changed the "ip firstfrag" selector to not match non-fragmented packets anymore. However, the documentation added in f15a23966fff ("tc: add a man page for u32 filter") in 2015 includes an example that relies on the previous behavior (non-fragmented packet counted as first fragment). Due to this, the example does not work correctly and does not actually classify regular SSH packets. Modify the example to use a raw u16 selector on the fragment offset to make it work, and also make the firstfrag description more clear about the current behavior. Fixes: f15a23966fff ("tc: add a man page for u32 filter") Signed-off-by: Anssi Hannula Cc: Phil Sutter Cc: Hiroaki SHIMODA Acked-by: Phil Sutter Signed-off-by: Stephen Hemminger --- man/man8/tc-u32.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/man/man8/tc-u32.8 b/man/man8/tc-u32.8 index e5690681a..dfbf73eb3 100644 --- a/man/man8/tc-u32.8 +++ b/man/man8/tc-u32.8 @@ -427,7 +427,7 @@ Also minimal header size for IPv4 and lack of IPv6 extension headers is assumed. IPv4 only, check certain flags and fragment offset values. Match if the packet is not a fragment .RB ( nofrag ), -the first fragment +the first fragment of a fragmented packet .RB ( firstfrag ), if Don't Fragment .RB ( df ) @@ -644,7 +644,7 @@ tc filter add dev eth0 parent 1:0 protocol ip \\ tc filter add dev eth0 parent 1:0 protocol ip \\ u32 ht 800: \\ match ip protocol 6 FF \\ - match ip firstfrag \\ + match u16 0 1fff at 6 \\ offset at 0 mask 0f00 shift 6 \\ link 1: .EE -- 2.47.2