From: Andy Furniss <andy.furniss@dsl.pipex.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Trying to do some very simple ingress limiting, no success
Date: Sun, 09 Apr 2006 13:00:29 +0000 [thread overview]
Message-ID: <4439056D.7030008@dsl.pipex.com> (raw)
In-Reply-To: <1144579998.5694.18.camel@localhost.localdomain>
Erik Slagter wrote:
> Hi,
>
> I am trying to do some simple ingress limiting based on fwmark. I know
> the ability and sense to do INGRESS limiting is ehm... limited ;-) but
> still I want to try it.
>
> I tried several things.
>
> == 1 =>
> tcq ingress handle ffff:
> tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop
> tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop
> tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit burst 10k drop
>
> This installs OK, but the filters are never called. The netfilter stats
> show the marks are set though. To make sure it's not just the tc stats
> output that's borked, I changed the bw limits to a rediculous low value,
> and indeed, no effect at all.
>
There are two policers now the old one will work as you want but you
need to change your kernel config. Unselect packet action and you should
be able to choose a different policer.
Or you could try using tc filters instead of netfilter - I don't know if
it will be possible for what you want as I can't see the rules that mark.
> == 2 =>
> tcq ingress handle ffff:
> tcq parent ffff: handle 10 htb
> tcc parent ffff: htb rate 12mbit
> tcc parent ffff: htb rate 10mbit
> tcc parent ffff: htb rate 1mbit
> tcf parent ffff: protocol ip prio 1 fw
>
> I tricked tc into attaching a htb to the root qdisc. This gives no errors
> but also doesn't seem to do anything. If you use tc show qdisc|filter|class
> the qdisc,filters and classes are not even shown, so I guess it's borked
> (tc should have given an error that it won't work).
>
> ====
This has never worked if you want a queue on ingress you need to use IMQ
(in the case that you need netfilter PREROUTING marks) or IFB (kernel >=
2.6.16) but this will hook before netfilter - so no marks.
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2006-04-09 13:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-09 10:53 [LARTC] Trying to do some very simple ingress limiting, no success Erik Slagter
2006-04-09 13:00 ` Andy Furniss [this message]
2006-04-09 13:09 ` Erik Slagter
2006-04-09 13:42 ` Andy Furniss
2006-04-10 12:36 ` Erik Slagter
2006-04-10 12:38 ` Erik Slagter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4439056D.7030008@dsl.pipex.com \
--to=andy.furniss@dsl.pipex.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.