rv wrote:> Hi -
>
> I''m trying to set a limit to the download speed available to
specific
> clients on my LAN. I''ve had some success using lines like
>
> run_tc qdisc add dev eth0 handle ffff: ingress
> run_tc filter add dev eth0 parent ffff: protocol \
> ip prio 50 u32 match ip dst a.b.c.d \
> police rate 100kbit burst 10k drop flowid :1
>
> in my tcstart file, which is based on wondershaper. eth0 is my external
> interface.
>
> I''d like to do this using fwmark, so I''ve changed the
second line to read
>
> run_tc filter add dev eth0 parent ffff: protocol \
> ip prio 50 handle 10 fw \
> police rate 100kbit burst 10k drop flowid :1
>
> and mark the relevant traffic with 10 in tcrules (the specified hosts are
> behind NAT, and MARK_IN_FORWARD_CHAIN=Yes). However, this doesn''t
seem to
> limit anything; I''ve tried different combinations of src/dst (even
> 0.0.0.0/0
> everywhere, any protocol, any port) in tcrules to no avail.
> Have you got any suggestions beyond reading the LARTC once again ;-)
>
Ingress policing takes place before iptables ever sees the packets.
Stick to your first method.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net