Corey Rogers
2003-Feb-10 16:27 UTC
Matching multiple destination IPs in the ingress queue.
I''ve been trying to match multiple public IPs in an ingress qdisc. The idea is to allow these specific IPs and aggregate value of 256 kbits incoming to the interface. Can anyone tell me how this can be effectively done if at all possible with tc? Thanks in advance -- Corey Rogers <jrog@sunbeach.net> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Matthew Crocker
2003-Feb-10 16:29 UTC
Re: Matching multiple destination IPs in the ingress queue.
On Mon, 2003-02-10 at 11:27, Corey Rogers wrote:> I''ve been trying to match multiple public IPs in an ingress qdisc. The > idea is to allow these specific IPs and aggregate value of 256 kbits > incoming to the interface. > > Can anyone tell me how this can be effectively done if at all possible > with tc? >use iptables rules to fwmark the inbound packets then create tc rules to match packets with that fwmark To mark packets iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp -s 1.2.3.4/32 -d 0.0.0.0/0 --dport 25 -j MARK --set-mark 3 You can set the iptables match stuff to what ever you want. I for example match inbound SYN packets going to port 25 of my mail server with iptables -t mangle -A PREROUTING -d mail.acme.com -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x2 Create the tc filter to match the fwmark and police it /sbin/tc filter add dev eth0 protocol ip parent ffff: pref 10 handle 2 fw police rate 8kbit burst 1kbit drop This should drop every SYN going to my mail server > 8kbps 8kbps = about 25 SYN/second -Matt> Thanks in advance-- Matthew S. Crocker Crocker Communications, Inc. / Vice President PO BOX 710 Greenfield, MA 01302-0710 Voice: 413-746-2760 Fax: 413-746-3704 Web: http://www.crocker.com E-mail: matthew@crocker.com GPG Public Key: www.keyserver.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/