From: "François Delawarde" <fdelawarde@wirelessmundi.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] incoming traffic + iptable
Date: Thu, 01 Mar 2007 15:03:36 +0000 [thread overview]
Message-ID: <45E6EB48.5060700@wirelessmundi.com> (raw)
In-Reply-To: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com>
Hello,
I would need to be able to do that, as I think that iptables is more
powerful for classifying traffic you want to police/shape. I don't
really know tc yet, so could you tell if it has the possibility of
detecting:
- mac addresses
- ip tos/ttl values
- icmp types
- tcp/udp flags/ports or port ranges
- layer 7 protocols
Thanks for help,
François.
Nikolay Kichukov wrote:
> Hello there,
> Why would you want to mark the packets with iptables in the first place for
> ingress shaping?
> Why don't use the tc functionality to specify source and destination
> addresses and protocol types?
>
> I would suggest to leave iptables alone and get your hand on TC for doing
> traffic control ;-)
>
> So in your example:
>
> tc qdisc add dev eth0 handle ffff: ingress
> tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
> 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
> ffff:
>
> Thats an elegant way to achieve what you want.
>
> HTH,
> -nik
>
> p.s. Mind the burst parameter, seems huge value to me.
>
>
> ----- Original Message -----
> From: mohican 542003
> To: lartc@mailman.ds9a.nl
> Sent: Wednesday, February 28, 2007 4:39 PM
> Subject: [LARTC] incoming traffic + iptable
>
>
> Hello,
>
> i try to use iptables to mark packet and then to filter them with tc. Here
> is my script:
> iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
> MARK --set-mark 1
> tc qdisc add dev eth0 handle ffff: ingress
> tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
> rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1
>
> I can not use u32 because i have several filter with more than one IP
> address in each.
>
> Packets seem to be well marked (command: iptables -t mangle -L -vnx)
> but packets are not filtered with tc.
>
> Can someone help me ?
>
> Thanks,
>
> Olivier.
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2007-03-01 15:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-28 14:39 [LARTC] incoming traffic + iptable mohican 542003
2007-03-01 7:21 ` Nikolay Kichukov
2007-03-01 15:03 ` François Delawarde [this message]
2007-03-02 7:38 ` Nikolay Kichukov
2007-03-02 16:44 ` Nikolay Kichukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45E6EB48.5060700@wirelessmundi.com \
--to=fdelawarde@wirelessmundi.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.