Andy Furniss <andy.furniss@xxxxxxxxxxxxx> wrote: I only skimmed through - the lack of CRs make it a bit difficult to read. One thing to note is that unlike htb, prio 1 is the top prio for filters - and you use prio 0 for the metro so this filter won't see traffic that has already been fclassified by the prio 1 tos filter. Also when using tos be aware that some apps set it - so there could be other traffic than that set by the iptables rules. Andy. I pasted the script from kwrite to Mozilla suite composer. I don't know why there are no CRs. :( I know that applications set the tos field (and I hope programmers know if they are supposed to set it or not, and that they don't cheat). I rely on this. I will correct the prio error. My question still remains: is it possible to use tos AND fwmark in the same rule (and the effect be an AND - like in iptables, not an OR)? My script: #!/bin/bash tc=/sbin/tc u=kbit;U=Mbit RATE=256 metro=1 for dev in ` echo eth0 eth1 `; do $tc qdisc del dev $dev root &>/dev/null $tc qdisc add dev $dev root handle 1: htb default FF # class default - non-priorized traffic $tc class add dev $dev parent 1: classid 1:1 \ htb rate $RATE$u ceil $[$RATE-16]$u $tc class add dev $dev parent 1:1 classid 1:FF \ htb rate 1$u ceil $[$RATE-16]$u prio 1 $tc qdisc add dev $dev parent 1:FF handle FF: sfq perturb 10 # priorized traffic - Internet (TOS = Minimize-Delay) $tc class add dev $dev parent 1:1 classid 1:2\ htb rate $[$RATE-16]$u ceil $[$RATE-16]$u burst 16k prio 0 $tc filter add dev $dev parent 1: protocol ip prio 1\ u32 match ip tos 0x10 0xff flowid 1:2 $tc qdisc add dev $dev parent 1:2 handle 2: sfq perturb 10 # metropolitan (MARK = 1) $tc class add dev $dev parent 1: classid 1:3 htb rate 100$U ceil 99$U $tc class add dev $dev parent 1:3 classid 1:FE htb rate 99$U ceil 99$U $tc qdisc add dev $dev parent 1:FE handle FE: sfq perturb 10 $tc filter add dev $dev parent 1: protocol ip prio 0\ handle $metro fw flowid 1:FE done EOF The output of iptables-save (mangle PREROUTING): -A PREROUTING -p tcp -m tcp --sport 21:22 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 21:22 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 80 -j TS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 443 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 5050 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 5050 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 6667:7000 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 6667:7000 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --tcp-flags SYN ACK -j TOS --set-tos 0x10 -A PREROUTING -s 82.77.124.128/255.255.255.224\ -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 193.226.0.0/255.255.0.0\ -j MARK --set-mark 0x1 -A PREROUTING -s 193.226.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224\ -j MARK --set-mark 0x1 -A PREROUTING -s 192.129.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224\ -j MARK --set-mark 0x1 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 192.129.0.0/255.255.0.0\ -j MARK --set-mark 0x1 Thank you! Sorin. P.S. I changed my registered e-mail address and I think I cannot post from the old one, from which I received the message I now reply. Please BCC my new address. Thank you! _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc