[LARTC] filter fw and ingress qdisc

From: Markus Schulz <msc@antzsystem.de>
To: lartc@vger.kernel.org
Subject: [LARTC] filter fw and ingress qdisc
Date: Fri, 10 Feb 2006 13:44:33 +0000	[thread overview]
Message-ID: <200602101444.34012.msc@antzsystem.de> (raw)

Hello, 
i've found this page (lartc currently down)
http://www.lartc.org/howto/lartc.cookbook.synflood-protect.html 
where someone used iptables firewall mark to mark specific packets which 
will be shaped thru ingress qdisc with a fw filter and rate policy 
appended.

I've tried similar this way, but it don't work. Now i'm belief this 
could'nt work cause the traffic is marked with iptables after it has 
passed the ingress qdisc? Correct?

I've tried this two ways:
********************************
<mark the packets to shape in PREROUTING with 7>
$TC qdisc add dev $DEV handle FFFF: ingress
$TC filter add dev $DEV parent ffff: protocol ip prio 50 handle 7 fw \   
   police rate ${DOWNSTREAM}kbit burst 10k mtu $MTU drop flowid :1
********************************
This don't work. shapes nothing.

********************************
$TC qdisc add dev $DEV handle FFFF: ingress
$TC filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip \
   src 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst 10k drop flowid :1
********************************

This works fine, shapes all traffic down to $DOWNSTREAM limit.

-- 
Markus Schulz

> >Is that verb regular?  Does "ich kann den Mond sprengen" sound less
> >awkward than "ich kann den Mond explodieren" ?
> The first sentence is correct, the second one is just nonsense. But 
> you will need quite a big amount of explosives to do so.
I'm sure America has plenty.  :)
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc