Glad that helped. You may want to share the knowledge with the others so I am CCing the list. Just in case someone else is or will be having the same questions. -nik ----- Original Message ----- From: mohican 542003 To: Nikolay Kichukov Sent: Friday, March 02, 2007 4:47 PM Subject: Re: incoming traffic + iptable Hello, Thank you very much. I tried it and it works very well. my script is: tc qdisc del dev eth0 ingress tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.11.14 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002 tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.16.11 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002 tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.100.2 police index 2 rate 15000kbit burst 15000kbit drop flowid :5002 172.24.11.14 and 172.24.16.11 shared 15000kbit for incoming traffic and 172.24.100.2 can receive at 15000kbit. Regards. Olivier. 2007/3/2, Nikolay Kichukov <hijacker@xxxxxxxxx>: hello, I used to be wondering the same thing some time ago and also asked the list for help, the answer was that I could use the index option to achieve that. tc filter add ... police index 1 ... tc filter add ... police index 1 ... tc filter add ... police index 1 ... tc filter add ... police index 1 ... So all your rules should have the index parameter and thus the consumed bandwidth will be calculated for all the IPs. However I could not verify that this is actually working. Currently I am not using it, I just tried it once, but did not have time to do measures and calculations. So I cannot confirm if that actualy solves the problem you have. Maybe you can give it a try and let me and the list know if that works as expected? -nik ----- Original Message ----- From: mohican 542003 To: Nikolay Kichukov Sent: Thursday, March 01, 2007 9:45 AM Subject: Re: incoming traffic + iptable Hello, I would like something like: tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 match ip src 172.28.54.45/32match ip src 172.28.54.54/32match ip src 172.28.54.80/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: with several IP address (not consecutive). The only way to do this seems to be with iptables to mark packets ? Thanks, Olivier. 2007/3/1, Nikolay Kichukov <hijacker@xxxxxxxxx>: Hello there, Why would you want to mark the packets with iptables in the first place for ingress shaping? Why don't use the tc functionality to specify source and destination addresses and protocol types? I would suggest to leave iptables alone and get your hand on TC for doing traffic control ;-) So in your example: tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: Thats an elegant way to achieve what you want. HTH, -nik p.s. Mind the burst parameter, seems huge value to me. ----- Original Message ----- From: mohican 542003 To: lartc@xxxxxxxxxxxxxxx Sent: Wednesday, February 28, 2007 4:39 PM Subject: incoming traffic + iptable Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several filter with more than one IP address in each. Packets seem to be well marked (command: iptables -t mangle -L -vnx) but packets are not filtered with tc. Can someone help me ? Thanks, Olivier. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
