Hi there, i''m running a firewalling bridge with the following config: Dual Athlon MP, 512MB RAM 3 ethernet interfaces (eth0=3com 3c905B; eth1=Intel Ethernet Pro 100; eth2=Realtek RTL8139) Kernel 2.4.21 from kernel.org HTB kernel part version 3.12 iptables 1.2.8 pom-20030710 (list of applied patches available on request) The setup: I''ve created a bridging interface (br0) that uses eth0 and eth2 as ports. eth1 is for administration only. The following QoS config is applied: tc qdisc add dev eth0 root handle 1:0 htb default 10 tc qdisc add dev eth2 root handle 2:0 htb default 10 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 102400kbit ceil 102400kbit quantum 20000 tc class add dev eth0 parent 1:1 classid 1:10 htb rate 102380kbit ceil 102400kbit prio 3 quantum 20000 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil 100kbit prio 5 quantum 2000 tc class add dev eth2 parent 2:0 classid 2:2 htb rate 102400kbit ceil 102400kbit quantum 20000 tc class add dev eth2 parent 2:2 classid 2:10 htb rate 102380kbit ceil 102400kbit prio 3 quantum 20000 tc class add dev eth2 parent 2:2 classid 2:12 htb rate 20kbit ceil 100kbit prio 5 quantum 2000 After that I use a couple of iptables rules that identify p2p-traffic and put a mark on the whole connection: iptables -A FORWARD -t mangle -p tcp -j CONNMARK --restore-mark iptables -A FORWARD -t mangle -p tcp -m mark ! --mark 0 -j ACCEPT iptables -A FORWARD -t mangle -p tcp -m ipp2p --ipp2p -j MARK --set-mark 22 iptables -A FORWARD -t mangle -p tcp -m mark --mark 22 -j CONNMARK --save-mark Finally I classify marked packets to the existing HTB classes (and do some logging): 1# iptables -A POSTROUTING -t mangle -o eth0 -m mark --mark 22 -j CLASSIFY --set-class 1:12 2# iptables -A POSTROUTING -t mangle -o eth0 -j ACCEPT 3# iptables -A POSTROUTING -t mangle -o eth2 -m mark --mark 22 -j CLASSIFY --set-class 2:12 4# iptables -A POSTROUTING -t mangle -o eth2 -j ACCEPT This setup works almost perfect but when I calculate the used bandwidth per second for class 1:12 it is slightly above the given limit of 100kbits. I counted the bytes for 24 hours for rule 1# and calculated the average transfer rate per second and came to something near 123,3 kbit/sec. After that I did another 24h test using rate 20kbit and ceil 50kbit for classes 1:12 & 2:12 and calculated the average throughput again. I came up to 61,3kbit/sec. If compare these results this heavily stressed class is in both tests 23% above the given ceil. For class 2:12 the limit is meet (49,1 kbit/sec in test 2) but this class is not as stressed as 1:12 is. Can you help me out on this? I don''t believe it''s wanted that way, is it? Cheers, Mike -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -------------------------------------------------- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/