gistfile1.txt

#!/bin/bash
set -e

# Set up an ingress qdisc.  This queuing discipline will have handle 'ffff',
# and will gate all packets coming in via INFACE.
tc qdisc add dev $INFACE ingress handle ffff:

# Set up a u32 target filter for TCP filtering.  It will be associated with
# qdisc ffff.  Its priority is 5.  If someone comes along and adds a filter
# with lower priority, that filter will take precedence.
tc filter add dev $INFACE protocol ip parent ffff: pref 5 u32 \
# we are defining a hash table with handle 801, and a single bucket:
 ht 801: divisor 1

# Next, we continue along the same lines as the previous filter.  We are now
# specifying what to do with packets that fall into hashtable 801
tc filter add dev $INFACE protocol ip parent ffff: pref 5 u32 ht 801: \
# We select only packets that where nexthdr+13th position satisfies (byte &
# 0xff) == 0x02. This corresponds to a tcp flags byte where only SYN is
# present.
  match u8 0x02 0xff at nexthdr+13 \
# Finally, we will take action by mirroring the packets to ifb0. 'redirect'
# specifies that the packets should actually be removed from the original
# interface's queue.
  action mirred egress redirect dev ifb_plug

# Throw all TCP packets at hash table 801 (by linking to it).
tc filter add dev $INFACE protocol ip parent ffff: pref 5 u32 link 801: \
# Now we have to parse the IP header length.  Take the low-order bits of the
# first byte (at 0 mask 0x0f00) and multiply them by 32 (shift 6) and then add
# zero.  The value we match here will become nexthdr for future processing.
  offset at 0 mask 0x0f00 shift 6 plus 0 eat \
# match against the IP protocol byte, only taking packets that are 0x06 (TCP).
  match ip protocol 0x06 0xff