Hi all, So, I''ve gotten a jist of a script going for my layer7 filters, but for some reason its not rejecting the packets. Can someone give me a hand with this? (I know, the script is probably ugly as sin, but I''ve hacked it together from some misc stuff). source: ----------------------------------- tc qdisc add dev $1 root handle 1: htb default 30 tc class add dev $1 parent 1: classid 1:1 htb rate 9mbit burst 15k #set up three classes attached to the root tc class add dev $1 parent 1:1 classid 1:10 htb rate 20kbit burst 15k tc class add dev $1 parent 1:1 classid 1:20 htb rate 2mbit burst 15k tc class add dev $1 parent 1:1 classid 1:30 htb rate 5mbit burst 15k #make each of them use stochasitic fairness queueing tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $1 parent 1:30 handle 30: sfq perturb 10 tc filter add dev $1 protocol ip parent 1:0 prio 1 handle 1 layer7 protocol msnmessenger classid 1:10 tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol smtp classid 1:20 tc filter add dev $1 protocol ip parent 1:0 prio 1 layer7 protocol ssh classid 1:30 iptables -A FORWARD -s 10.0.0.0/24 --match mark --mark 1 -j REJECT Would the iptables rule have any effect whatsoever? I don''t think so, but it would be nice. Output of tc -s class show dev eth1 ----------------------------------------------------------------- class htb 1:1 root rate 9Mbit ceil 9Mbit burst 15334b cburst 12974b Sent 25012 bytes 287 pkts (dropped 0, overlimits 0) rate 2bps lended: 0 borrowed: 0 giants: 0 tokens: 13 ctokens: 11 class htb 1:10 parent 1:1 leaf 10: prio 0 rate 20Kbit ceil 20Kbit burst 15Kb cburst 1623b Sent 8625 bytes 116 pkts (dropped 0, overlimits 0) rate 1bps lended: 116 borrowed: 0 giants: 0 tokens: 5975 ctokens: 609 class htb 1:20 parent 1:1 leaf 20: prio 0 rate 2Mbit ceil 2Mbit burst 15204b cburst 4194b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 58 ctokens: 16 class htb 1:30 parent 1:1 leaf 30: prio 0 rate 5Mbit ceil 5Mbit burst 15072b cburst 7863b Sent 16387 bytes 171 pkts (dropped 0, overlimits 0) rate 1bps lended: 171 borrowed: 0 giants: 0 tokens: 23 ctokens: 12 ---- So, 1:10 is getting data passed through it, but I can''t figure out a way to attach a policing filter that just drops them all into oblivion. Any help is muy appreciated. Derek _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi> So, 1:10 is getting data passed through it, but I can''t figure out a way to > attach a policing filter that just drops them all into oblivion.tc filter add dev $DEV parent ffff: \ protocol ip prio 20 \ u32 match ip protocol 1 0xff \ police mtu 1 drop \ flowid :1 Drops all packets with a length > 1 byte which is probably what you want. Regards, -- Thomas GRAF _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ah, duh, I probably should stop looking at things prior to my morning startbucks intake. Much obliged, though, thats exactly what I was looking for. Thanks! Derek On Friday 26 September 2003 09:44 am, Thomas Graf wrote:> > So, by the looks of things, that is going to drop all of the packets, > > not just class 1:10? or am I mistaken? > > It actually drops all incoming icmp packets. it''s just an > example of how to use policer to drop all packets._______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Heh, I''m attempting to get it to work... I''m just not sure how I can/if I can combine two filters together, or at least attach them to the same class... I guess the ideal solution would be a sub filter of a filter, or maybe attaching a filter to another filter, but thats probably a little blasphemist. I really want to be able to do this without hacking the kernel source. Its probably much easier to get an lartc patch committed than a kernel one. Right now, I''m using 2.5.75 w/ the layer7 patch to try it out, but as soon as I finish my backports of the new layer7 patches to 2.4, I''ll give 2.4 a shot. (2.6 is awesome, but I kept getting panics when using tc to shape with a pre-empt enabled kernel). If you come up with anything, let me know, otherwise I''ll post to the list when/if I get it working :) Thanks, Derek On Friday 26 September 2003 10:11 am, you wrote:> > > > So, by the looks of things, that is going to drop all of the > > > > packets, not just class 1:10? or am I mistaken? > > > > > > It actually drops all incoming icmp packets. it''s just an > > > example of how to use policer to drop all packets. > > > > Ah, duh, I probably should stop looking at things prior to my morning > > startbucks intake. Much obliged, though, thats exactly what I was looking > > for. > > Have you managed to use the layer7 filter to block things, then? I still > haven''t, even given that example code. (It''s rather frustrating that the > kernel hacking part of this is _easier_ than actually controlling it with > tc...) If you have, I''d like to see how you did it. > > -matthew_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/