From mboxrd@z Thu Jan 1 00:00:00 1970 From: Markus Schulz Date: Fri, 10 Feb 2006 13:44:33 +0000 Subject: [LARTC] filter fw and ingress qdisc Message-Id: <200602101444.34012.msc@antzsystem.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hello,=20 i've found this page (lartc currently down) http://www.lartc.org/howto/lartc.cookbook.synflood-protect.html=20 where someone used iptables firewall mark to mark specific packets which=20 will be shaped thru ingress qdisc with a fw filter and rate policy=20 appended. I've tried similar this way, but it don't work. Now i'm belief this=20 could'nt work cause the traffic is marked with iptables after it has=20 passed the ingress qdisc? Correct? I've tried this two ways: ******************************** $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 handle 7 fw \ =A0 = =A0 =A0police rate ${DOWNSTREAM}kbit burst 10k mtu $MTU drop flowid :1 ******************************** This don't work. shapes nothing. ******************************** $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip \ =A0 =A0src 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst 10k drop flowid :1 ******************************** This works fine, shapes all traffic down to $DOWNSTREAM limit. --=20 Markus Schulz > >Is that verb regular? =A0Does "ich kann den Mond sprengen" sound less > >awkward than "ich kann den Mond explodieren" ? > The first sentence is correct, the second one is just nonsense. But=20 > you will need quite a big amount of explosives to do so. I'm sure America has plenty. =A0:) _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc