Hi Pablo
base on this rule :
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
}
set limit_dl {
typeof ip daddr
flags dynamic
}
chain download {
type filter hook postrouting priority filter; policy accept;
ip daddr @limit_dl drop
}
chain upload {
type filter hook prerouting priority filter ; policy accept;
ip saddr @limit_ul drop;
}
flowtable fastnat {
hook ingress priority filter; devices = { eth0, eth1 };
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
where to set this , please help.
> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>> One more update
>>
>> I try to make rule for limiter in offload mode :
>>
>> table inet nft-qos-static {
>> set limit_ul {
>> typeof ip saddr
>> flags dynamic
>> }
>> set limit_dl {
>> typeof ip daddr
>> flags dynamic
>> }
>>
>> chain upload {
>> type filter hook prerouting priority filter ; policy accept;
>> ip saddr @limit_ul drop;
>> }
>>
>> chain download {
>> type filter hook postrouting priority filter; policy accept;
>> ip daddr @limit_dl drop;
>>
>> }
>> flowtable fastnat {
>> hook ingress priority filter; devices = { eth0, eth1 };
>> }
>> chain forward {
>> type filter hook forward priority filter; policy accept;
>> ip protocol { tcp , udp } flow offload @fastnat;
>> }
>> }
>>
>> its not work perfect only upload limit work , download get full channel
>>
>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>
>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>
> If you want to combine ratelimit/policing with flowtable, then you
> have to use the ingress and egress hooks, not prerouting and
> postrouting.
>
> Make sure you place the flowtable in a priority that comes after the
> priority of your ingress hook.
