Hello there, Why would you want to mark the packets with iptables in the first place for ingress shaping? Why don't use the tc functionality to specify source and destination addresses and protocol types? I would suggest to leave iptables alone and get your hand on TC for doing traffic control ;-) So in your example: tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: Thats an elegant way to achieve what you want. HTH, -nik p.s. Mind the burst parameter, seems huge value to me. ----- Original Message ----- From: mohican 542003 To: lartc@xxxxxxxxxxxxxxx Sent: Wednesday, February 28, 2007 4:39 PM Subject: incoming traffic + iptable Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several filter with more than one IP address in each. Packets seem to be well marked (command: iptables -t mangle -L -vnx) but packets are not filtered with tc. Can someone help me ? Thanks, Olivier. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
