Re: incoming traffic + iptable

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Glad that helped.

You may want to share the knowledge with the others so I am CCing the list.
Just in case someone else is or will be having the same questions.

-nik


----- Original Message ----- 
From: mohican 542003
To: Nikolay Kichukov
Sent: Friday, March 02, 2007 4:47 PM
Subject: Re:  incoming traffic + iptable


Hello,

Thank you very much. I tried it and it works very well.

my script is:
tc qdisc del dev eth0 ingress
tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.11.14 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.16.11 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.100.2 police index 2 rate 15000kbit burst 15000kbit drop flowid :5002

172.24.11.14 and 172.24.16.11 shared 15000kbit for incoming traffic and
172.24.100.2 can receive at 15000kbit.

Regards.

Olivier.


2007/3/2, Nikolay Kichukov <hijacker@xxxxxxxxx>:
hello,
I used to be wondering the same thing some time ago and also asked the list
for help, the answer was that I could use the index option to achieve that.

tc filter add ... police index 1 ...
tc filter add ... police index 1 ...
tc filter add ... police index 1 ...
tc filter add ... police index 1 ...

So all your rules should have the index parameter and thus the consumed
bandwidth will be calculated for all the IPs.


However I could not verify that this is actually working. Currently I am not
using it, I just tried it once, but did not have time to do measures and
calculations. So I cannot confirm if that actualy solves the problem you
have. Maybe you can give it a try and let me and the list know if that works
as expected?

-nik

----- Original Message -----
From: mohican 542003
To: Nikolay Kichukov
Sent: Thursday, March 01, 2007 9:45 AM
Subject: Re:  incoming traffic + iptable


Hello,
I would like something like:
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.28.54.41/32 match ip src
172.28.54.45/32match ip src
172.28.54.54/32match ip src
172.28.54.80/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
ffff:
with several IP address (not consecutive). The only way to do this seems to
be with iptables to mark packets ?

Thanks,

Olivier.


2007/3/1, Nikolay Kichukov <hijacker@xxxxxxxxx>:
Hello there,
Why would you want to mark the packets with iptables in the first place for
ingress shaping?
Why don't use the tc functionality to specify source and destination
addresses and protocol types?

I would suggest to leave iptables alone and get your hand on TC for doing
traffic control ;-)

So in your example:

  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
ffff:

Thats an elegant way to achieve what you want.

HTH,
-nik

p.s. Mind the burst parameter, seems huge value to me.


----- Original Message -----
From: mohican 542003
To: lartc@xxxxxxxxxxxxxxx
Sent: Wednesday, February 28, 2007 4:39 PM
Subject:  incoming traffic + iptable


Hello,

i try to use iptables to mark packet and then to filter them with tc. Here
is my script:
  iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
MARK --set-mark 1
  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1

I can not use u32 because i have several filter with more than one IP
address in each.

Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
but packets are not filtered with tc.

Can someone help me ?

Thanks,

Olivier.




_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux