All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Policing based on port numbers
@ 2007-04-11 15:48 Shuveb Hussain
  2007-04-11 19:28 ` Andy Furniss
  0 siblings, 1 reply; 2+ messages in thread
From: Shuveb Hussain @ 2007-04-11 15:48 UTC (permalink / raw)
  To: lartc

Hi,

I'm trying to police ingress traffic based on port numbers and IP
addresses. The u32 match based on IP addresses seems to work without
issues and I'm am able to police incoming packets. However, the same
isn't working with u32 matches based on TCP port numbers. For port
numbers, I added exactly one 'u32 match' rule:

common for both:
# tc qdisc add dev eth0 handle ffff: ingress

And then:

# tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate 128kbit burst 10k drop flowid :1

The rule above works, but the same with a port match does not:

# tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
tcp dport 0xXYZ 0xFFFF police rate 128kbit burst 10k drop flowid :1

Is there anything I am missing?

TIA,
-- 
Shuveb Hussain.
When you lose, be patient. When you achieve, be even more patient.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [LARTC] Policing based on port numbers
  2007-04-11 15:48 [LARTC] Policing based on port numbers Shuveb Hussain
@ 2007-04-11 19:28 ` Andy Furniss
  0 siblings, 0 replies; 2+ messages in thread
From: Andy Furniss @ 2007-04-11 19:28 UTC (permalink / raw)
  To: lartc

Shuveb Hussain wrote:
> Hi,
> 
> I'm trying to police ingress traffic based on port numbers and IP
> addresses. The u32 match based on IP addresses seems to work without
> issues and I'm am able to police incoming packets. However, the same
> isn't working with u32 matches based on TCP port numbers. For port
> numbers, I added exactly one 'u32 match' rule:
> 
> common for both:
> # tc qdisc add dev eth0 handle ffff: ingress
> 
> And then:
> 
> # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip 
> src \
>   0.0.0.0/0 police rate 128kbit burst 10k drop flowid :1
> 
> The rule above works, but the same with a port match does not:
> 
> # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
> tcp dport 0xXYZ 0xFFFF police rate 128kbit burst 10k drop flowid :1
> 
> Is there anything I am missing?

I've never managed to find a way to use the word tcp in a filter without 
getting an illegal match - I know it's in the help.

If you want to match tcp use the ip protocol match

tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
ip dport 0xXYZ 0xFFFF match ip protocol 0x06 0xff police .....

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-04-11 19:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-11 15:48 [LARTC] Policing based on port numbers Shuveb Hussain
2007-04-11 19:28 ` Andy Furniss

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.