On Fri, 14 Dec 2001, bert hubert wrote: > On Thu, Dec 13, 2001 at 08:46:57PM +0100, Lutz Pressler wrote: > > > The following has no effect on 2.4.16 or older (even 2.2) kernels: > > > > # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match tcp > > dst 3128 0xffff police rate 40kbit burst 10k drop flowid :1 > > Double check what this means! This limits speed of data *coming in to* your > proxy from a client (browser). That is not a lot - most data will flow he > other way, and will indeed not be matched. > Sorry, that was a typo (I forget that I tried the other way too, to be complete, before doing the cut&paste). Of course "src 3128"! > Data being received BY your proxy from the internet is not matched by this > proxy. > > > Even if > > # tc filter ls dev eth0 parent ffff: > > filter protocol ip pref 50 u32 > > filter protocol ip pref 50 u32 fh 800: ht divisor 1 > > > filter protocol ip pref 50 u32 fh 800::800 order 2048 key ht 800 bkt 0 > > flowid :1 police 4 action drop rate 40Kbit burst 10Kb mtu 2Kb > > match 00000c38/0000ffff at nexthdr+0 and "match 0c380000/ffff0000" here. > > You supply a lot of redundant information. I'm not sure what the '4' means > in this rule. Neither do I, haven't set it explicitly. Seems to increase with every change in policing rules. > > > looks reasonable, TCP connections to port 3128 are not policed. > > > > If I use "match ip dst <ip-address>" instead, the policing works. > > Your proxy does no necessarily download FROM port 3128! I did that - as a test, real situation is not about 3128 - on the client, not the proxy. Lutz -- _ | Lutz Pressler | Tel: ++49-551-3700002 |_ |\ | | Service Network GmbH | FAX: ++49-551-3700009 ._|ER | \|ET | Bahnhofsallee 1b | mailto:lp@xxxxxxxxx Service Network | D-37081 Goettingen | http://www.SerNet.DE/
