> > I still can't find anything about "filter > > policers" anywhere. I didn't find any description of a command line that > > even suggested such a thing was possible. Can you please point me to > > some more info about this, if any exists? > There also some limited example scripts in the iproute2 source. OK - I'll have a look at those scripts to see how one can associate policers with filters. > > The fact that the filters are metering traffic flows implies that they > > have are stateful. When using filters with egress queue hierarchies, it > > was my understanding that no state was needed since all they do is > > direct packets into classes. It sounds like my current understanding is > > quite wrong. > I don't think the filters are statefull. If you use policers, you only rate > limit the filters. The filters itself have no idea about the traffic flows. Then there are two further questions (the first of which I actually should have asked before): 1) When working with egress traffic control, filters are attached to classes. The documents I've read so far tell me that the ingress qdisc is classless so, on the face of it, filters shouldn't be useable at all. Please tell me which part of this I have badly misunderstood. 2) Since the filters themselves are, as you say, stateless, then it sounds like a "policer" is a separate object that's being created at the same time as the filter. Is there any other way to create a "policer" object, or do they only exist when attached to filters? When working with egress traffic control, can you attach policers to filters, and how would they interact with the classes? > > BTW, we are working with a stock RedHat 7.3 2.4.20-18.7 kernel, and we > > are VERY reluctant to apply patches of any kind, so we're just going to > > work with whatever is available in the bits we download. We're > > considering moving up to 2.4.21 to get IMQ, but that doesn't appear to > > be available for RedHat 7.3 yet - in fact, this may force us to RedHat > > 9.0 (not a bad thing, really). > Why don't you download the kernel source 7.3 2.4.20-18.7 from RH and the > config file? So you have the same source as the kernel you trust. If you > trust that source, you can pacth it with what ever you want. Our problem is not really with "trust". Our problem is that we have very limited staff, and we don't want to open up a whole new area of effort. Using "stock" kernels and not having to compile them means that none of us have to go through the effort of managing all that. We have the expertise, we just don't have the time.
