[LARTC] incoming traffic + iptable

François Delawarde fdelawarde at wirelessmundi.com
Thu Mar 1 16:03:36 CET 2007 

Hello,
I would need to be able to do that, as I think that iptables is more 
powerful for classifying traffic you want to police/shape. I don't 
really know tc yet, so could you tell if it has the possibility of 
detecting:

- mac addresses
- ip tos/ttl values
- icmp types
- tcp/udp flags/ports or port ranges
- layer 7 protocols

Thanks for help,
François.


Nikolay Kichukov wrote:
> Hello there,
> Why would you want to mark the packets with iptables in the first place for
> ingress shaping?
> Why don't use the tc functionality to specify source and destination
> addresses and protocol types?
>
> I would suggest to leave iptables alone and get your hand on TC for doing
> traffic control ;-)
>
> So in your example:
>
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
> 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
> ffff:
>
> Thats an elegant way to achieve what you want.
>
> HTH,
> -nik
>
> p.s. Mind the burst parameter, seems huge value to me.
>
>
> ----- Original Message ----- 
> From: mohican 542003
> To: lartc at mailman.ds9a.nl
> Sent: Wednesday, February 28, 2007 4:39 PM
> Subject: [LARTC] incoming traffic + iptable
>
>
> Hello,
>
> i try to use iptables to mark packet and then to filter them with tc. Here
> is my script:
>   iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
> MARK --set-mark 1
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
> rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1
>
> I can not use u32 because i have several filter with more than one IP
> address in each.
>
> Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
> but packets are not filtered with tc.
>
> Can someone help me ?
>
> Thanks,
>
> Olivier.
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

More information about the LARTC mailing list