Hello, i've found this page (lartc currently down) http://www.lartc.org/howto/lartc.cookbook.synflood-protect.html where someone used iptables firewall mark to mark specific packets which will be shaped thru ingress qdisc with a fw filter and rate policy appended. I've tried similar this way, but it don't work. Now i'm belief this could'nt work cause the traffic is marked with iptables after it has passed the ingress qdisc? Correct? I've tried this two ways: ******************************** <mark the packets to shape in PREROUTING with 7> $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 handle 7 fw \ police rate ${DOWNSTREAM}kbit burst 10k mtu $MTU drop flowid :1 ******************************** This don't work. shapes nothing. ******************************** $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip \ src 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst 10k drop flowid :1 ******************************** This works fine, shapes all traffic down to $DOWNSTREAM limit. -- Markus Schulz > >Is that verb regular? Does "ich kann den Mond sprengen" sound less > >awkward than "ich kann den Mond explodieren" ? > The first sentence is correct, the second one is just nonsense. But > you will need quite a big amount of explosives to do so. I'm sure America has plenty. :) _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
