From: Derek <derek@traffic-power.com>
To: lartc@vger.kernel.org
Subject: [LARTC] More layer7 filtering issues
Date: Tue, 23 Sep 2003 17:47:31 +0000 [thread overview]
Message-ID: <marc-lartc-106433960203711@msgid-missing> (raw)
Hi all,
So, I've gotten a jist of a script going for my layer7 filters, but for some
reason its not rejecting the packets. Can someone give me a hand with this?
(I know, the script is probably ugly as sin, but I've hacked it together from
some misc stuff).
source:
-----------------------------------
tc qdisc add dev $1 root handle 1: htb default 30
tc class add dev $1 parent 1: classid 1:1 htb rate 9mbit burst 15k
#set up three classes attached to the root
tc class add dev $1 parent 1:1 classid 1:10 htb rate 20kbit burst 15k
tc class add dev $1 parent 1:1 classid 1:20 htb rate 2mbit burst 15k
tc class add dev $1 parent 1:1 classid 1:30 htb rate 5mbit burst 15k
#make each of them use stochasitic fairness queueing
tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $1 parent 1:30 handle 30: sfq perturb 10
tc filter add dev $1 protocol ip parent 1:0 prio 1 handle 1 layer7 protocol
msnmessenger classid 1:10
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol smtp
classid 1:20
tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol ssh
classid 1:30
iptables -A FORWARD -s 10.0.0.0/24 --match mark --mark 1 -j REJECT
Would the iptables rule have any effect whatsoever? I don't think so, but it
would be nice.
Output of tc -s class show dev eth1
-----------------------------------------------------------------
class htb 1:1 root rate 9Mbit ceil 9Mbit burst 15334b cburst 12974b
Sent 25012 bytes 287 pkts (dropped 0, overlimits 0)
rate 2bps
lended: 0 borrowed: 0 giants: 0
tokens: 13 ctokens: 11
class htb 1:10 parent 1:1 leaf 10: prio 0 rate 20Kbit ceil 20Kbit burst 15Kb
cburst 1623b
Sent 8625 bytes 116 pkts (dropped 0, overlimits 0)
rate 1bps
lended: 116 borrowed: 0 giants: 0
tokens: 5975 ctokens: 609
class htb 1:20 parent 1:1 leaf 20: prio 0 rate 2Mbit ceil 2Mbit burst 15204b
cburst 4194b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 58 ctokens: 16
class htb 1:30 parent 1:1 leaf 30: prio 0 rate 5Mbit ceil 5Mbit burst 15072b
cburst 7863b
Sent 16387 bytes 171 pkts (dropped 0, overlimits 0)
rate 1bps
lended: 171 borrowed: 0 giants: 0
tokens: 23 ctokens: 12
----
So, 1:10 is getting data passed through it, but I can't figure out a way to
attach a policing filter that just drops them all into oblivion.
Any help is muy appreciated.
Derek
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2003-09-23 17:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-23 17:47 Derek [this message]
2003-09-25 15:22 ` [LARTC] More layer7 filtering issues Thomas Graf
2003-09-26 16:50 ` Derek
2003-09-26 17:23 ` Derek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106433960203711@msgid-missing \
--to=derek@traffic-power.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.