On Mon, 2003-02-10 at 11:27, Corey Rogers wrote: > I've been trying to match multiple public IPs in an ingress qdisc. The > idea is to allow these specific IPs and aggregate value of 256 kbits > incoming to the interface. > > Can anyone tell me how this can be effectively done if at all possible > with tc? > use iptables rules to fwmark the inbound packets then create tc rules to match packets with that fwmark To mark packets iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -s 1.2.3.4/32 -d 0.0.0.0/0 --dport 25 -j MARK --set-mark 3 You can set the iptables match stuff to what ever you want. I for example match inbound SYN packets going to port 25 of my mail server with iptables -t mangle -A PREROUTING -d mail.acme.com -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x2 Create the tc filter to match the fwmark and police it /sbin/tc filter add dev eth0 protocol ip parent ffff: pref 10 handle 2 fw police rate 8kbit burst 1kbit drop This should drop every SYN going to my mail server > 8kbps 8kbps = about 25 SYN/second -Matt > Thanks in advance -- Matthew S. Crocker Crocker Communications, Inc. / Vice President PO BOX 710 Greenfield, MA 01302-0710 Voice: 413-746-2760 Fax: 413-746-3704 Web: http://www.crocker.com E-mail: matthew@crocker.com GPG Public Key: www.keyserver.net
