[LARTC] Policing based on port numbers
Andy Furniss
lists at andyfurniss.entadsl.com
Wed Apr 11 21:28:29 CEST 2007
Shuveb Hussain wrote:
> Hi,
>
> I'm trying to police ingress traffic based on port numbers and IP
> addresses. The u32 match based on IP addresses seems to work without
> issues and I'm am able to police incoming packets. However, the same
> isn't working with u32 matches based on TCP port numbers. For port
> numbers, I added exactly one 'u32 match' rule:
>
> common for both:
> # tc qdisc add dev eth0 handle ffff: ingress
>
> And then:
>
> # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip
> src \
> 0.0.0.0/0 police rate 128kbit burst 10k drop flowid :1
>
> The rule above works, but the same with a port match does not:
>
> # tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
> tcp dport 0xXYZ 0xFFFF police rate 128kbit burst 10k drop flowid :1
>
> Is there anything I am missing?
I've never managed to find a way to use the word tcp in a filter without
getting an illegal match - I know it's in the help.
If you want to match tcp use the ip protocol match
tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
ip dport 0xXYZ 0xFFFF match ip protocol 0x06 0xff police .....
Andy.
More information about the LARTC
mailing list