From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?ISO-8859-1?Q?Fran=E7ois_Delawarde?= <fdelawarde@wirelessmundi.com>
Date: Thu, 01 Mar 2007 15:03:36 +0000
Subject: Re: [LARTC] incoming traffic + iptable
Message-Id: <45E6EB48.5060700@wirelessmundi.com>
List-Id: <lartc.vger.kernel.org>
References: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com>
In-Reply-To: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org

Hello,
I would need to be able to do that, as I think that iptables is more=20
powerful for classifying traffic you want to police/shape. I don't=20
really know tc yet, so could you tell if it has the possibility of=20
detecting:

- mac addresses
- ip tos/ttl values
- icmp types
- tcp/udp flags/ports or port ranges
- layer 7 protocols

Thanks for help,
Fran=E7ois.


Nikolay Kichukov wrote:
> Hello there,
> Why would you want to mark the packets with iptables in the first place f=
or
> ingress shaping?
> Why don't use the tc functionality to specify source and destination
> addresses and protocol types?
>
> I would suggest to leave iptables alone and get your hand on TC for doing
> traffic control ;-)
>
> So in your example:
>
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
> 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flow=
id
> ffff:
>
> Thats an elegant way to achieve what you want.
>
> HTH,
> -nik
>
> p.s. Mind the burst parameter, seems huge value to me.
>
>
> ----- Original Message -----=20
> From: mohican 542003
> To: lartc@mailman.ds9a.nl
> Sent: Wednesday, February 28, 2007 4:39 PM
> Subject: [LARTC] incoming traffic + iptable
>
>
> Hello,
>
> i try to use iptables to mark packet and then to filter them with tc. Here
> is my script:
>   iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
> MARK --set-mark 1
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw poli=
ce
> rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1
>
> I can not use u32 because i have several filter with more than one IP
> address in each.
>
> Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
> but packets are not filtered with tc.
>
> Can someone help me ?
>
> Thanks,
>
> Olivier.
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>  =20
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc