You got it the wrong way. Let me explain. Tc shapes outgoing packets, not incoming. So .. if you want to shape download, you have to shape it using eth0 interface. Add rules to match packets from source port 80 or destination lan/firewalled ip. ( this is why your download shaping works ) If you want to shape upload, you have to shape it using eth1 int. (this is where you should change some things ). Add rules to match packets to destination port 80 or source lan/firewalled ip using eht1. ( note that since shaping is done after the routing, the SNAT rules in iptables will be applied before shaping occurs.. so .. you can't shape outgoing packets by source using nat in the same time). Anyway .. if you don't like how tc works there is a kernel patch IMQ. Google for it... using it you can shape incoming packets, as they arrive on the interface. :D Iosif Peterfi Forte Systems S.R.L. http://www.fortesys.ro/ -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Christian Bauer Sent: Wednesday, June 01, 2005 3:51 PM To: lartc@xxxxxxxxxxxxxxx Subject: TC Filtering Problems Dear Admins and Hackers, maybe i am to stupid to use 'tc'. But i having logical Problems to understand the Filter Rules in tc. Common Config: There is a Linux Engine (Debian) with a 2.6.11.11 Kernel which act as Packetshaper. Two Interfaces eth0 and eth1 are installed. Interface 'eth0' is the Firewall Side Net 195.185.185.0/24. Interface 'eth1' goes to the Internet (switch and Routers to the isps). Both Interfaces are bridged. The TEST Client is located on the eth0 Device of the Packetshaper. Kernel Module: (lsmod) Module Size Used by mirred 7744 0 sch_dsmark 7424 0 police 10976 0 pedit 7648 0 gact 7008 0 cls_rsvp 7424 0 cls_route 7808 0 sch_prio 5888 0 ipt_state 2048 0 ipt 8288 0 sch_htb 18816 0 cls_tcindex 8192 0 cls_u32 9220 0 cls_fw 5504 0 TC Config (a htb Qdisc): for d in eth0 eth1; do tc qdisc add dev $d root handle 1:0 htb default 12 tc class add dev $d parent 1:2 classid 1:2 htb rate 8096mbit tc class add dev $d parent 1:2 classid 1:10 htb rate 64kbit ceil 64kbit prio 0 tc class add dev $d parent 1:2 classid 1:12 htb rate 1024mbit ceil 1024mbit prio 0 done Http Filter ( looks for (Source)Port 80 on Offset 20 in the Ip Packet (Httpserver Answer) ): tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match u32 0x500000 0xffff0000 at 20 classid 1:10 This Filter is working and the http download on the Firewall Side is resticted to 64 kbit as you can see below. tc -s filter show dev eth0 : filter parent 1: protocol ip pref 100 u32 filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 (rule hit 151 success 129) match 00500000/ffff0000 at 20 (success 129 ) But why i !cant! filter Packets with dstPort 80 or Src Ip on eth0: Dstport 80: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match u32 0x50 0xffff at nexthdr+0 classid 1:10 or Source Ipaddress: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip src 195.185.185.2/32 classid 1:10 On these Filters are no success Counters. Our Firewall cant it be. I connect our Testlaptop directly to the eth0 Packetshaper Device. When i run a "tcpdump -i eth0" on the Packetshaper i saw the Src Ipaddress 195.185.185.2 and dstport 80 Packets. I cant understand why tc not able to find the SRC IP Fields in the Packets on eth0 of the Packetshaper. At first i thought the problem will be the br_fw (bridgerouter) Option in the Kernel. Without these Option the Problem is still alive. In my Eyes it´s not logical! Please can anyone help me? Have no Idea left. I hope there is a Hacker or Admin which can me tell the Filterlogic. thanks in advance Christian ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
