[LARTC] Trying to do some very simple ingress limiting, no success

Erik Slagter erik at slagter.name
Sun Apr 9 15:09:34 CEST 2006 

On Sun, 2006-04-09 at 14:00 +0100, Andy Furniss wrote:
> Erik Slagter wrote:
> > Hi,
> > 
> > I am trying to do some simple ingress limiting based on fwmark. I know
> > the ability and sense to do INGRESS limiting is ehm... limited ;-) but
> > still I want to try it.
> > 
> > I tried several things.
> > 
> > === 1 ===
> > 
> > tcq ingress handle ffff: 
> > tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop
> > tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop
> > tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit  burst 10k drop
> > 
> > This installs OK, but the filters are never called. The netfilter stats
> > show the marks are set though. To make sure it's not just the tc stats
> > output that's borked, I changed the bw limits to a rediculous low value,
> > and indeed, no effect at all.
> > 
> There are two policers now the old one will work as you want but you 
> need to change your kernel config. Unselect packet action and you should 
> be able to choose a different policer.

Found it and deselected it. Now making new kernel...

The "old" policer is marked as "obsolete", so I guess it will go away.

What am I supposed to replace it with, then?

> Or you could try using tc filters instead of netfilter - I don't know if 
> it will be possible for what you want as I can't see the rules that mark.

It's probably possible, but I already have quite a large set of
netfilter rules. I don't want to make the whole thing even more
complicated by also adding lots of tc stuff, I'd rather have the
tc/iproute things as simple as possible.
 
> This has never worked if you want a queue on ingress you need to use IMQ 
> (in the case that you need netfilter PREROUTING marks) or IFB (kernel >= 
> 2.6.16) but this will hook before netfilter - so no marks.

For IMQ I need to patch the kernel (feasible) and the netfilter tools
(not feasible :-() I just learned.

And you're just telling me I cannot use IFB. Bummer. Anyway, if there is
any simple (!) way to implement what I am searching for, I am happy.

I will try your "old policer version" suggestion asap.

Thanks for your help.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2771 bytes
Desc: not available
Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060409/4ff1b351/smime.bin

More information about the LARTC mailing list