From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Date: Wed, 11 Apr 2007 19:28:29 +0000 Subject: Re: [LARTC] Policing based on port numbers Message-Id: <461D36DD.2010301@andyfurniss.entadsl.com> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Shuveb Hussain wrote: > Hi, > > I'm trying to police ingress traffic based on port numbers and IP > addresses. The u32 match based on IP addresses seems to work without > issues and I'm am able to police incoming packets. However, the same > isn't working with u32 matches based on TCP port numbers. For port > numbers, I added exactly one 'u32 match' rule: > > common for both: > # tc qdisc add dev eth0 handle ffff: ingress > > And then: > > # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip > src \ > 0.0.0.0/0 police rate 128kbit burst 10k drop flowid :1 > > The rule above works, but the same with a port match does not: > > # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match > tcp dport 0xXYZ 0xFFFF police rate 128kbit burst 10k drop flowid :1 > > Is there anything I am missing? I've never managed to find a way to use the word tcp in a filter without getting an illegal match - I know it's in the help. If you want to match tcp use the ip protocol match tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip dport 0xXYZ 0xFFFF match ip protocol 0x06 0xff police ..... Andy. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc