Stef Coene wrote: > On Monday 15 April 2002 23:15, Omar Armas wrote: > >>I want to limit ftp bandwith to 128Kb. In a RH 7.2 box I have: >> >>eth0: 200.39.186.1 >>eth1: 192.168.1.1 >> >>I use these rules: >> >> >>tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000 >>tc class add dev eth0 parent 10:0 classid 10:1282 cbq bandwidth 10Mbit >>rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000 >>bounded >>tc qdisc add dev eth0 parent 10:1282 sfq quantum 1514b perturb 15 >>tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip >>dport 21 0xffff flowid 10:1282 >> >>But users accesing ftp from 192.168.1.0/24 are allowed more that 128K, >>any idea aboout how to solve it? > > Yes. You match destination 21, but this is only the command path. The data > path uses an other variable destination port (passive ftp uses port 20, > active ftp uses a variable port). So you can't match the data path. > > There is a solution. There is a iptables match-patch so you can mark all > packets that belongs to a ftp-data stream. That mark can be used to put the > data in the class you want. I don't have more info, but maybe someone else > on the list can help you. Just put all ftpusers in a special group and use the owner match, maybe in combination with -d ! 192.168.1.0/24 .. Bye, Patrick
