[LARTC] 2 Questions on filtering incoming stuff

[Ed Wildgoose]

Damion de Soto wrote:

> Hi Ed,
>
>> First is: Can I prioritise my "drops" on incoming traffic when the 
>> link is overloaded.  ie instead of just tail dropping, can I "prefer" 
>> to drop certain classes of traffic?  If so, do I do this by setting 
>> up, say, a HTB tree like on the incoming, but the only action at the 
>> leaf is to drop?
>
> You can't set up a HTB or any classful qdiscs on incoming traffic, you 
> can only create ingress policer filters.  You can setup different 
> filters with different priorities, to try and drop one particular type 
> of traffic moreso than others.


Thanks, this is helpful. 

Thinking about it though, the different filters priorities isn't going 
to help too much?  eg if I want to accept ACK's, then incoming SMTP, 
then other bulk downloads, then of course I can setup prioritised 
"bands" by limiting some stuff more than others.  But I don't think that 
a simple priority system will let me accept up to full bandwidth of 
each, but dropping in a preferential order?  (Or do you think simply 
matching each with a 200Kb/s filter in priority order from highest to 
lowest will do the trick?)

> If you're using a linux gateway onto your lan, then you can use a HTB 
> qdiscs
> on the outgoing (lan) interface which would do a better job.


Sure.  Same problem for local traffic on that machine though. 

However, can you apply filters to aliased IP addresses, ie the virtual 
interfaces eth0:1?  Do the filters only apply to the real interfaces 
(which I think is true of iptables for example?)  This might also be 
useful for setting up a bandwidth filter PC using only a single net card 
for example (assuming you don't worry about people bypassing it manually)

Thanks

Ed W