Trying to do some very simple ingress limiting, no success

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am trying to do some simple ingress limiting based on fwmark. I know
the ability and sense to do INGRESS limiting is ehm... limited ;-) but
still I want to try it.

I tried several things.

=== 1 ===

tcq ingress handle ffff: 
tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop
tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop
tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit  burst 10k drop

This installs OK, but the filters are never called. The netfilter stats
show the marks are set though. To make sure it's not just the tc stats
output that's borked, I changed the bw limits to a rediculous low value,
and indeed, no effect at all.

=== 2 ===

tcq ingress handle ffff: 
tcq parent ffff: handle 10 htb 
tcc parent ffff: htb rate 12mbit
tcc parent ffff: htb rate 10mbit
tcc parent ffff: htb rate 1mbit
tcf parent ffff: protocol ip prio 1 fw 

I tricked tc into attaching a htb to the root qdisc. This gives no errors
but also doesn't seem to do anything. If you use tc show qdisc|filter|class
the qdisc,filters and classes are not even shown, so I guess it's borked
(tc should have given an error that it won't work).

========

IMHO it isn't that complex I want to achieve... The example of the synflood
protector also doesn't work, btw.

I am using linux 2.6.16.1 and these rules to mark:

iptables -t mangle -N classify-high
iptables -t mangle -A classify-high -j MARK --set-mark 1
iptables -t mangle -A classify-high -j ACCEPT

iptables -t mangle -N classify-medium
iptables -t mangle -A classify-medium -j MARK --set-mark 2
iptables -t mangle -A classify-medium -j ACCEPT

iptables -t mangle -N classify-low
iptables -t mangle -A classify-low -j MARK --set-mark 3
iptables -t mangle -A classify-low -j ACCEPT

The "ACCEPT"s are necessary, otherwise the classification will
overflow and all packets are marked with "3".

Thanks in advance.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux