Hello, it seems, that filtering on nexthdr (TCP/UDP) content, especially src or dst port, is not working. The following has no effect on 2.4.16 or older (even 2.2) kernels: # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 Even if # tc filter ls dev eth0 parent ffff: filter protocol ip pref 50 u32 filter protocol ip pref 50 u32 fh 800: ht divisor 1 filter protocol ip pref 50 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1 police 4 action drop rate 40Kbit burst 10Kb mtu 2Kb match 00000c38/0000ffff at nexthdr+0 looks reasonable, TCP connections to port 3128 are not policed. If I use "match ip dst <ip-address>" instead, the policing works. Port based matching isn't working for outgoing shapers either, as can be seen with the statistics functions. Any idea? Anybody with port based (etc.) filtering actually working? Regards, Lutz -- _ | Lutz Pressler | Tel: ++49-551-3700002 |_ |\ | | Service Network GmbH | FAX: ++49-551-3700009 ._|ER | \|ET | Bahnhofsallee 1b | mailto:lp@xxxxxxxxx Service Network | D-37081 Goettingen | http://www.SerNet.DE/