Due to a shortage of resources I've only recently been able to my goal of a combined bridge/IPX traffic shaper, the results of which I hope to be able to share in the next few weeks. or so
In the meantime, I've a problem trying to explicitly drop unwanted IPX packets.
Background
What I'm trying to achieve is a filter broadly similar the following iptables example, in which unmatched packets are discarded.
iptables -t mangle -A somechain -s some-addr -j ACCEPT ... iptables -t mangle -A somechain -s some-other-addr -j ACCEPT iptables -t mangle -A somechain -j DROP
Thanks mostly to Martin Brown's response to my previous question, I have written the u32 filters to do the equivalent of "-s some-addr -j ACCEPT" for the IPX packets but I'm stuck on the equivalent for "-j DROP".
I'm using prio as the root qdisc, with a pfifo attached to the first class, 1:1, htb attached to the second class, 1:2, and the third class, 1:3, is the one I've been using to experiment with.
The filter attached to the root, prio, qdisc directs all non-IPX traffic to the pfifo attached to 1:1 and all matching IPX traffic to 1:2.
Problem
My first attempt to drop the remaining packets was to make the last entry in the filter
tc filter ... u32 match u16 0x8137 0xffff at -2 police drop flowid 1:3
which tc -s filter ls dev eth0 shows as
... filter parent 1: protocol ip ... police 3 action drop rate 0bps burst 0b mtu 4096Mb match 00008137/0000ffff at -4
This had no effect, with the unwanted IPX traffic still being passed.
My second attempt was to remove the "police drop" from the above filter spec. and add a zero length pfifo to the third class, 1:3 as follows
tc qdisc add dev eth0 parent 1:3 handle 30: pfifo limit 0
which tc -s qdisc ls dev eth0 shows as
... qdisc pfifo 30: limit 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
Again this has no effect, all the unwanted IPX traffic passes via pfifo 30:.
Any ideas?
Griff.
