Hi
My ingress policies _seems_ to work but the statistics are somwhat strange:
When sending only 4 SYN packets, they are passed and counted in neither
"dropped" nor "overlimit". When sending 40 SYN packets they
are also
only show up in "overlimits" and not "dropped" although they
should be
above the (testing) values I''ve choosen! Why?
I also wonder why the counters at the ingress qdisc never increase?
I''m using linux kernel 2.4.18 with IMQ patch (IMQ not enabled).
thanks,
-christian-
--- qdisc ---
qdisc ingress ffff: dev eth0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
--- filter ---
filter protocol ip pref 49152 fw
filter protocol ip pref 49152 fw handle 0x14 classid :1 police 28 action
drop rate 200bps burst 159b mtu 320b peakrate 400bps
Sent 1920 bytes 48 pkts (dropped 0, overlimits 33)
----------------------------------------------------------------------------
$TC qdisc add \
dev eth0 \
handle ffff: \
ingress
# testing with 40byte tcp syn packets
# rate: 5 SYN packets = 200 bytes/s = 1600 bit/s
# peak: 10 SYN packets = 400 bytes/s = 3200 bit/s
$TC filter add \
dev eth0 \
protocol ip \
parent ffff: \
handle 20 \
fw \
police \
rate 1600 burst 160 \
peakrate 3200 mtu 320 \
drop \
classid :1
# tag all incoming SYN packets through eth0 as mark value 20.
# (20 is an arbitrary number)
$IPT -A PREROUTING -t mangle -i eth0 -p tcp --syn -j MARK --set-mark 20
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
ch@westend.com Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/