Hi, I can't imagine a "clean" tc-only solution, but look at the extra-patch-o-matic matches in iptables: from http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connrate ----------------- Author: Nuutti Kotivuori <naked@xxxxxx> Status: Working, but received only minimal testing The connrate match is used to match against the current transfer speed of a connection. The algorithm averages transferred bytes over a time sliding window of constant size. The maximum and minimum rates measurable are explained in the code, along the algorithm used in the measurements. This match can easily be used to reclassify connections based on their current transfer rate, but is not meant for directly dropping packets, because packet drops affect the rate being estimated. The transfer rate per connection can also be viewed through /proc/net/ip_conntrack. Usage: --connrate [!] [FROM]:[TO] will match packet from a connection which is currently transferring more than FROM bytes per second and less than TO byte per second. 'inf' can be used to signify largest measurable transfer rate. If FROM is omitted, it defaults to zero. If TO is omitted, it defaults to infinity. "!" is used to match packets not falling in the range. Example: iptables .. -m connrate --connrate 10000:100000 ... => match packets in connections transferring faster than 10kbps, but slower than 100kbps. iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 20000:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead. ------------------------- you could re-classify every *single* connection exceeding your maximum to a "you get less than normal sessions"-htb/hfsc class.... perhaps this is what you want? (although it means you'll have to patch your kernel ;) Greetings Tobias Am Freitag, 10. September 2004 01:57 schrieb Simon Byrnand: > Hi All, > > Does anyone know of a way to limit the speed of *individual* TCP sessions, > but without placing any overall bandwidth limits, and without requiring an > explicit QoS entry for every ip address the machine is communicating with ? > > The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > session can't hog your bandwidth, but you don't want to place a maximum > limit on the TOTAL traffic. Also it's impossible to set up normal per-ip > address QoS classes, because there are potentially an almost infinite > number of possible ip addresses that might try to connect to the server. > > Any ideas ? > > Regards, > Simon > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Attachment:
pgp98Xs8kJPcd.pgp
Description: PGP signature
