Hello there, Sure tc can do those, I am not sure about layer 7 protocols. I am no tc expert myself ;-( -nik ----- Original Message ----- From: "François Delawarde" <fdelawarde@xxxxxxxxxxxxxxxxx> To: <lartc@xxxxxxxxxxxxxxx> Cc: "Nikolay Kichukov" <hijacker@xxxxxxxxx> Sent: Thursday, March 01, 2007 5:03 PM Subject: Re: incoming traffic + iptable > Hello, > I would need to be able to do that, as I think that iptables is more > powerful for classifying traffic you want to police/shape. I don't > really know tc yet, so could you tell if it has the possibility of > detecting: > > - mac addresses > - ip tos/ttl values > - icmp types > - tcp/udp flags/ports or port ranges > - layer 7 protocols > > Thanks for help, > François. > > > Nikolay Kichukov wrote: > > Hello there, > > Why would you want to mark the packets with iptables in the first place for > > ingress shaping? > > Why don't use the tc functionality to specify source and destination > > addresses and protocol types? > > > > I would suggest to leave iptables alone and get your hand on TC for doing > > traffic control ;-) > > > > So in your example: > > > > tc qdisc add dev eth0 handle ffff: ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src > > 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid > > ffff: > > > > Thats an elegant way to achieve what you want. > > > > HTH, > > -nik > > > > p.s. Mind the burst parameter, seems huge value to me. > > > > > > ----- Original Message ----- > > From: mohican 542003 > > To: lartc@xxxxxxxxxxxxxxx > > Sent: Wednesday, February 28, 2007 4:39 PM > > Subject: incoming traffic + iptable > > > > > > Hello, > > > > i try to use iptables to mark packet and then to filter them with tc. Here > > is my script: > > iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j > > MARK --set-mark 1 > > tc qdisc add dev eth0 handle ffff: ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police > > rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 > > > > I can not use u32 because i have several filter with more than one IP > > address in each. > > > > Packets seem to be well marked (command: iptables -t mangle -L -vnx) > > but packets are not filtered with tc. > > > > Can someone help me ? > > > > Thanks, > > > > Olivier. > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
