From: Ray Van Dolson <rayvd@digitalpath.net>
To: netfilter@lists.netfilter.org
Subject: Re: Kernel options required for ingress policer?
Date: Thu, 27 Jul 2006 09:36:53 -0700 [thread overview]
Message-ID: <20060727163653.GA10822@digitalpath.net> (raw)
In-Reply-To: <20060726140302.GA15727@digitalpath.net>
On Wed, Jul 26, 2006 at 07:03:02AM -0700, Ray Van Dolson wrote:
> Haven't gotten a response for this on the LARTC list... hoping someone here
> may have an answer for me.
>
> I'm trying to use the ingress policer on a custom kernel as follows, but
> having some problems:
>
> # tc qdisc add dev eth1 handle ffff: ingress
> # tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src \
> 0.0.0.0/0 police rate 384kbit burst 10k drop flowid :1
> RTNETLINK answers: Invalid argument
>
> This is on a Fedora Core 2 based system, with a custom built 2.6.17.7
> kernel.
>
> The above commands work perfectly on a CentOS 4.x based system with a custom
> built 2.6.16 kernel. The hardware in both machines are identical and I used
> the 2.6.16 config from the CentOS machine to build the 2.6.17.7 kernel (did
> a make oldconfig). So the netfilter moudules, etc should be identical.
>
> The network driver on both is the bcm5700 from HP.
>
> tc with any egress filtering options works perfectly on the 2.6.17.7 box.
>
> I can also run the ingress policer commands on identical hardware with
> Fedora Core 1 (using stock kernel). So I don't believe this is a result of
> the version of the iproute package.
>
> Does anyone know the exact requirements of the ingress policer as far as the
> kernel is concerned? Below is my kernel config:
Well, figured out the problem. The issue was not the kernel, but that the
tools were built against RedHat/Fedora's glibc-kernheaders. Apparently they
must reference a symbol of some sort that doesn't exist in the stock kernel
(at least in Fedora Core 2).
I modified the iproute RPM .spec file to build against my 2.6.17 kernel
headers instead of glibc-kernheaders and everything is working fine.
Grr!
As an aside, would have loved to stick with the stock kernels (wouldn't have
encountered this issue in that case), but wanted to make use of built-in
MPPE support in the later kernel releases. Obviously this will never be
backported into FC2's now-maintained-by-fedora-legacy kernel. :)
prev parent reply other threads:[~2006-07-27 16:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-26 14:03 Kernel options required for ingress policer? Ray Van Dolson
2006-07-27 16:36 ` Ray Van Dolson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060727163653.GA10822@digitalpath.net \
--to=rayvd@digitalpath.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.