From PAINETA at uwec.edu  Fri Feb  7 11:45:23 2014
From: PAINETA at uwec.edu (Paine, Thomas Asa)
Date: Fri, 07 Feb 2014 16:45:23 -0000
Subject: [Click] This thing still live?
Message-ID: <D5E848671CE45A42B517EBCE1638925EBBB799CE@EX2010-MBX2.uwec.edu>



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Thomas Paine {paineta at uwec.edu}
   University of Wisconsin - Eau Claire
   Ph: 715-836-3078
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




From wrightsophia119 at gmail.com  Tue Feb 11 19:36:40 2014
From: wrightsophia119 at gmail.com (sophia wright)
Date: Wed, 12 Feb 2014 00:36:40 -0000
Subject: [Click] How to run parallel functions, thread in click
Message-ID: <CAFb6iCZQ16pSHLjOCBTOAJjrZDXVzV6GnBwUEyix28XEe+2mtA@mail.gmail.com>

Hello clickers,


i have implement my own element:rstPacket. My element rstPacket extract
from input ip packet
some info( dstIP, srcIP, etc) and create a Reset TCP packet.

my current version works like this

tmp::rstPacket;
PreviewsElement[0] ->tmp[0]->nextElement
tmp[1]->otherElement

this version is sequence,but  it works normaly.

At this point i want  to create a new version that the creation of RST
packet to be independent from the packet p, i want to run it parallel .

so I tried to do this

t:: Tee(2);
PreviewsElement[0]->t;
t[0]->nextElement
t[1]->rstPacket->otherElement

The above gemeral idea is that , i create a clone of a packet p ,
so in the output zero the packet p is routing normaly, without any side
effect
In the output one i have a clone of packet, i used it to extract my info
and i create
th reset packets.

But it doesnt work, the router crash, at the point --- of Tee(2)
Any IDEA somenone ,how can run parallel an element ,or a function in my
element??
General i want from a packet to extract some info, then the packet i want
to route normaly

thank you

From wrightsophia119 at gmail.com  Tue Feb 11 19:40:01 2014
From: wrightsophia119 at gmail.com (sophia wright)
Date: Wed, 12 Feb 2014 00:40:01 -0000
Subject: [Click] how to runparallel functions, thread in click
Message-ID: <CAFb6iCbNDv_26Kyqs9WBE2Bdbdh2SfX9Jb-SswG0ik1JkWT4Ow@mail.gmail.com>

Hello clickers,


i have implement my own element:rstPacket. My element rstPacket extract
from input ip packet
some info( dstIP, srcIP, etc) and create a Reset TCP packet.

my current version works like this

tmp::rstPacket;
PreviewsElement[0] ->tmp[0]->nextElement
tmp[1]->otherElement

this version is sequence,but  it works normaly.

At this point i want  to create a new version that the creation of RST
packet to be independent from the packet p, i want to run it parallel .

so I tried to do this

t:: Tee(2);
PreviewsElement[0]->t;
t[0]->nextElement
t[1]->rstPacket->otherElement

The above gemeral idea is that , i create a clone of a packet p ,
so in the output zero the packet p is routing normaly, without any side
effect
In the output one i have a clone of packet, i used it to extract my info
and i create
th reset packets.

But it doesnt work, the router crash, at the point --- of Tee(2)
Any IDEA somenone ,how can run parallel an element ,or a function in my
element??
General i want from a packet to extract some info, then the packet i want
to route normaly

thank you

From wrightsophia119 at gmail.com  Wed Feb 12 11:32:09 2014
From: wrightsophia119 at gmail.com (sophia wright)
Date: Wed, 12 Feb 2014 16:32:09 -0000
Subject: [Click] copy of packet Tee(2) Segmentation , out of workclick list
Message-ID: <CAFb6iCZeVvaQ2E3UmQ1CbfiWet1SXONVPwKoLUAZuYZiZmTfhQ@mail.gmail.com>

Hello Mr Kohler,

i would be very happy if you can give me a solution in the problem that
i describe above.


i have implement my own element:rstPacket. My element rstPacket extract
from each input ip packet  some info( dstIP, srcIP, etc) and create a Reset
TCP packet.

my current version works like this

myElem::rstPacket;
PreviewsElement[0] ->myElem[0]->nextElement  //myElem[0] push the packet p
myElem[1]->otherElement; //myElem[1] push the new reset packet that is
created

this version is sequency,but  it works normaly.

At this point i want  to create a new version that the creation of RST
packet to be independent from the packet p. so i want to extract from a
packet but not to wait the   .

so I tried to do this

t:: Tee(2);
PreviewsElement[0]->t;
t[0]->nextElement
t[1]->rstPacket->otherElement

The above gemeral idea is that , i create a clone of a packet p ,
so in the output port  zero the packet p is routing normaly, without any
side effect
In the output port one i have a clone of packet, i used it to extract my
info and i create
th reset packets.

But it doesnt work, the router crash, at the point --- of Tee(2)
SEGMENTATION FAULT
Any IDEA ,how can run parallel an element ,or a function in my element??
General i want from a packet to extract some info, then the packet i want
to route normaly.

Any hint how to make it independence ????why this solution FAIL?

thank you  in advance

PS : i tried to post my question on click list, but i think is down

From avinash.sridharan at gmail.com  Fri Feb 21 10:29:06 2014
From: avinash.sridharan at gmail.com (Avinash Sridharan)
Date: Fri, 21 Feb 2014 15:29:06 -0000
Subject: [Click] click-modualr-router with DPDK
Message-ID: <CADJyuDgb1o6jQK3QUKo-ekMo+pT6qHG4gWqsXGpOYT52BVNdJw@mail.gmail.com>

Hi,
 I was playing with the click-modular router (albeit a slightly older
version), and given that we can run click in user-space I was wondering if
anyone is aware of efforts of integrating click with intels DPDK framework?

Thanks,
Avinash

From teryvak at gmail.com  Mon Feb 24 01:52:41 2014
From: teryvak at gmail.com (Varnika Yertha)
Date: Mon, 24 Feb 2014 06:52:41 -0000
Subject: [Click] Add my email
Message-ID: <CAHmJ6OfZonx=v6wLWCqjqk2=u0PDePHxfkt1_R4a5YAaqEoaoQ@mail.gmail.com>

Hi

Please add my email to your list so I can post/ask questions.

Thanks!

Varnika

From larsbro at gmail.com  Mon Feb 24 06:12:08 2014
From: larsbro at gmail.com (Lars Bro)
Date: Mon, 24 Feb 2014 11:12:08 -0000
Subject: [Click] Latest kernel supported by patchless
Message-ID: <CAFFLP3o9CyUu40bfnZbMaVZGF-4RDoQLUMssPYjaOf13AoQrag@mail.gmail.com>

Hi,

What is the latest kernel supported by patchless? 3.5?

Lars Bro

From larsbro at gmail.com  Tue Feb 25 03:51:45 2014
From: larsbro at gmail.com (Lars Bro)
Date: Tue, 25 Feb 2014 08:51:45 -0000
Subject: [Click] Supported Linux version
Message-ID: <CAFFLP3ppgbKWMnWVP9WOGnP5qSOd6g6DtPw8ifHAoj_okSjOTg@mail.gmail.com>

Hi list,

I have tried Click usermode and patchless on kernel 3.10.32, and it works
out of the box in 64 bit mode.

So my question is: What is the latest supported kernel - or is there a test
that I could run in order to check that everything is OK?

yours,
Lars Bro

From larsbro at gmail.com  Tue Feb 25 08:37:38 2014
From: larsbro at gmail.com (Lars Bro)
Date: Tue, 25 Feb 2014 13:37:38 -0000
Subject: [Click] NOACK on outgoing Radiotap packets
Message-ID: <CAFFLP3rVEuwWHg9tkvHp6YDFDh9t81SxZZabWn-C9tfaSfVgVA@mail.gmail.com>

Hi, list

I have been working a bit with the ath5k driver which is a mac80211 driver.
It is now possible for mac80211 based drivers to send packets via the
monitoring interface. Such packets must however be marked for NOACK in the
tx flags, because otherwise, the driver will expect an ACK and thus
retransmit all packets. I have made a pull request that provides an element
SetNoAck() to set this.

Below is an example:

RatedSource() ->
UDPIPEncap(10.0.0.1, 1001, 10.0.0.2, 1002) ->
EtherEncap(0x0800, 2:0:0:0:0:1, 2:0:0:0:0:2) ->
WifiEncap(0, 00:00:00:00:00:00) ->
SetTXRate(3) ->
SetNoAck() ->
RadiotapEncap() ->
Queue() ->
ToDevice(mon0);

Setting TX power with SetTxPower does not have any effect on this kind of
radio.

Setting TX rate, can be done with the SetTxRate() element. However, if the
mac80211 radio has rate control, that will override the rate set by
SetTxRate. Below is a small patch for mac80211 that changes the behavior so
that rate control is not applied if the packet already got a rate.

From larsbro at gmail.com  Tue Feb 25 08:40:07 2014
From: larsbro at gmail.com (Lars Bro)
Date: Tue, 25 Feb 2014 13:40:07 -0000
Subject: [Click] Set NOACK on outgoing... (contd)
Message-ID: <CAFFLP3pv_N7_r=X5Wku0Ub=QewU7t=_m-CA9yOj_7OYh=gHdcg@mail.gmail.com>

--- net/mac80211/tx.c-  2013-10-10 20:55:25.623266347 +0000
+++ net/mac80211/tx.c   2013-10-10 21:03:28.552256199 +0000
@@ -1308,8 +1308,13 @@
        CALL_TXH(ieee80211_tx_h_ps_buf);
        CALL_TXH(ieee80211_tx_h_check_control_port_protocol);
        CALL_TXH(ieee80211_tx_h_select_key);
-       if (!(tx->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL))
-               CALL_TXH(ieee80211_tx_h_rate_ctrl);
+
+        /*
+         * Do not perform rate control if rate is already set (eg. by
radiotap).
+         */
+       if (!info->control.rates[0].idx)
+               if (!(tx->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL))
+                       CALL_TXH(ieee80211_tx_h_rate_ctrl);

        if (unlikely(info->flags & IEEE80211_TX_INTFL_RETRANSMISSION)) {
                __skb_queue_tail(&tx->skbs, tx->skb);
@@ -1467,6 +1472,7 @@
        int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr,
skb->len,
                                                   NULL);
        u16 txflags;
+       int i;

        info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
                       IEEE80211_TX_CTL_DONTFRAG;
@@ -1523,6 +1529,22 @@
                 * when parsing new fields here.
                 */

+                /*
+                 * Rate is passed as a rate index.
+                 */
+                case IEEE80211_RADIOTAP_RATE:
+                        printk("radiotap came with rate idx %d\n",
*iterator.this_arg);
+                        info->control.rates[0].idx = *iterator.this_arg;
+                        info->control.rates[0].flags = 0;
+                        info->control.rates[0].count = 1;
+                        for (i = 1; i < IEEE80211_TX_MAX_RATES; i++) {
+                                info->control.rates[i].idx = -1;
+                                info->control.rates[i].flags = 0;
+                                info->control.rates[i].count = 0;
+                        }
+                        break;
+
+
                default:
                        break;
                }

From bskmohan at gmail.com  Tue Feb 25 14:29:43 2014
From: bskmohan at gmail.com (sri)
Date: Tue, 25 Feb 2014 19:29:43 -0000
Subject: [Click] click not routing pkts on the same interface it received
Message-ID: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>

Hello Click users/developers,

Am working on a project that has click linux module as a router. There is
an issue recently that click is not responding on the same interface on
which it received packets. This is seen by observing the RX and TX metrics.
TX count much lesser than RX count.

Attached is the click config.
Tried to add "click_chatter" logs in LinearIPLookup's push() method, but
that made click & the device very slow.
---- snip of click_chatter logs ----

click_chatter("FromHost::run_task: Src (%s) and Dst (%s) for Sri\n",
(p->ip_header())->ip_src.s_addr, (p->ip_header())->ip_dst.s_addr);

---- snip of click_chatter logs ----

Would request any pointers on what to verify and how to debug further.

Thanks,
Sri
-------------- next part --------------

// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;

From bskmohan at gmail.com  Tue Feb 25 14:29:43 2014
From: bskmohan at gmail.com (sri)
Date: Tue, 25 Feb 2014 19:29:43 -0000
Subject: [Click] click not routing pkts on the same interface it received
Message-ID: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>

Hello Click users/developers,

Am working on a project that has click linux module as a router. There is
an issue recently that click is not responding on the same interface on
which it received packets. This is seen by observing the RX and TX metrics.
TX count much lesser than RX count.

Attached is the click config.
Tried to add "click_chatter" logs in LinearIPLookup's push() method, but
that made click & the device very slow.
---- snip of click_chatter logs ----

click_chatter("FromHost::run_task: Src (%s) and Dst (%s) for Sri\n",
(p->ip_header())->ip_src.s_addr, (p->ip_header())->ip_dst.s_addr);

---- snip of click_chatter logs ----

Would request any pointers on what to verify and how to debug further.

Thanks,
Sri
-------------- next part --------------

// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;

From bskmohan at gmail.com  Thu Feb 27 00:44:27 2014
From: bskmohan at gmail.com (sri)
Date: Thu, 27 Feb 2014 05:44:27 -0000
Subject: [Click] Fwd: click not routing pkts on the same interface it
	received
In-Reply-To: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>
References: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>
Message-ID: <CAM6Xdyw5L3HNhPD1=yKw6fefYWOwSDneMe=3K5=SqEzwMnX9Sw@mail.gmail.com>

Hi,
Can somebody  refer my some pointers that help me debugging.

Thanks,
Sri

---------- Forwarded message ----------
From: sri <bskmohan at gmail.com>
Date: Wed, Feb 26, 2014 at 12:59 AM
Subject: click not routing pkts on the same interface it received
To: click at amsterdam.lcs.mit.edu, click at pdos.csail.mit.edu


Hello Click users/developers,

Am working on a project that has click linux module as a router. There is
an issue recently that click is not responding on the same interface on
which it received packets. This is seen by observing the RX and TX metrics.
TX count much lesser than RX count.

Attached is the click config.
Tried to add "click_chatter" logs in LinearIPLookup's push() method, but
that made click & the device very slow.
---- snip of click_chatter logs ----

click_chatter("FromHost::run_task: Src (%s) and Dst (%s) for Sri\n",
(p->ip_header())->ip_src.s_addr, (p->ip_header())->ip_dst.s_addr);

---- snip of click_chatter logs ----

Would request any pointers on what to verify and how to debug further.

Thanks,
Sri



-- 
--
 Krishna Mohan B
-------------- next part --------------

// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;

From bskmohan at gmail.com  Thu Feb 27 00:44:27 2014
From: bskmohan at gmail.com (sri)
Date: Thu, 27 Feb 2014 05:44:27 -0000
Subject: [Click] Fwd: click not routing pkts on the same interface it
	received
In-Reply-To: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>
References: <CAM6XdywcZj6Lp02Qr8YA4Ot+4vjLPi0KHEUsMZqx7G8HFK3j5Q@mail.gmail.com>
Message-ID: <CAM6Xdyw5L3HNhPD1=yKw6fefYWOwSDneMe=3K5=SqEzwMnX9Sw@mail.gmail.com>

Hi,
Can somebody  refer my some pointers that help me debugging.

Thanks,
Sri

---------- Forwarded message ----------
From: sri <bskmohan at gmail.com>
Date: Wed, Feb 26, 2014 at 12:59 AM
Subject: click not routing pkts on the same interface it received
To: click at amsterdam.lcs.mit.edu, click at pdos.csail.mit.edu


Hello Click users/developers,

Am working on a project that has click linux module as a router. There is
an issue recently that click is not responding on the same interface on
which it received packets. This is seen by observing the RX and TX metrics.
TX count much lesser than RX count.

Attached is the click config.
Tried to add "click_chatter" logs in LinearIPLookup's push() method, but
that made click & the device very slow.
---- snip of click_chatter logs ----

click_chatter("FromHost::run_task: Src (%s) and Dst (%s) for Sri\n",
(p->ip_header())->ip_src.s_addr, (p->ip_header())->ip_dst.s_addr);

---- snip of click_chatter logs ----

Would request any pointers on what to verify and how to debug further.

Thanks,
Sri



-- 
--
 Krishna Mohan B
-------------- next part --------------

// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;