Hi, what is needed to activate ingress policies for enterprise server 9! My current loaded modules: in the attachments my kernel: Linux linux 2.6.5-7.97-smp #1 SMP Fri Jul 2 14:21:59 UTC 2004 i686 i686 i386 GNU/Linux So you can see the module sch_ingress is loaded and also the package iprout2 is installed. I have set also a filter for ingress policies but i don`t think it is working, because i have never dropped packages: tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1 # tc -s qdisc ls dev eth0 qdisc ingress ffff: Sent 83463 bytes 1002 pkts (dropped 0, overlimits 0) qdisc pfifo_fast 0: [Unknown qdisc, optlen=20] Sent 316975056 bytes 1093222 pkts (dropped 0, overlimits 0) a example tcpdump: # tcpdump -v port 8099 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:19:25.340470 IP (tos 0x0, ttl 63, id 31421, offset 0, flags [DF], length: 48) 158.226.150.44.4870 > iacapp3.local.8099: S [tcp sum ok] 2049470510:2049470510(0) win 64240 <mss 1460,nop,nop,sackOK> 13:19:25.341584 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 48) iacapp3.local.8099 > 158.226.150.44.4870: S [tcp sum ok] 1753072926:1753072926(0) ack 2049470511 win 5840 <mss 1460,nop,nop,sackOK> 13:19:25.341042 IP (tos 0x0, ttl 63, id 31422, offset 0, flags [DF], length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack 1 win 64240 13:19:25.342163 IP (tos 0x0, ttl 63, id 31423, offset 0, flags [DF], length: 704) 158.226.150.44.4870 > iacapp3.local.8099: P 1:665(664) ack 1 win 64240 13:19:25.342188 IP (tos 0x0, ttl 64, id 52551, offset 0, flags [DF], length: 40) iacapp3.local.8099 > 158.226.150.44.4870: . [tcp sum ok] ack 665 win 6640 13:19:25.357938 IP (tos 0x0, ttl 64, id 52552, offset 0, flags [DF], length: 297) iacapp3.local.8099 > 158.226.150.44.4870: P 1:258(257) ack 665 win 6640 13:19:25.490836 IP (tos 0x0, ttl 63, id 31429, offset 0, flags [DF], length: 399) 158.226.150.44.4870 > iacapp3.local.8099: P 665:1024(359) ack 258 win 63983 13:19:25.491986 IP (tos 0x0, ttl 64, id 52553, offset 0, flags [DF], length: 1288) iacapp3.local.8099 > 158.226.150.44.4870: P 258:1506(1248) ack 1024 win 7968 13:19:25.691613 IP (tos 0x0, ttl 63, id 31436, offset 0, flags [DF], length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack 1506 win 64240 9 packets captured 9 packets received by filter 0 packets dropped by kernel what is missing!? Or is my filter false! Thanks, Gernot _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Andy Furniss
2005-Apr-18 13:01 UTC
Re: Activate ingress policies on suse enterprise server 9
Grames Gernot wrote:> Hi, > > what is needed to activate ingress policies for enterprise server 9!> tc qdisc add dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 > 0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1I get a memory allocation error if I try to add that. Playing around it seems policer doesn''t like small burst and mtu together. Burst is a value and will act like MTU so the rule below should work and do what you want - drop everything with dport 8099. tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 0xffff police rate 1kbit burst 1 drop flowid :1 Andy.
Apparently Analagous Threads
- AW: Activate ingress policies on suse enterprise server 9
- AW: AW: Activate ingress policies on suse enterprise serv er 9
- AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
- AW: AW: AW: AW: Activate ingress policies on suse enterpr ise serv er 9
- Mapping Samba Drives (Samba Digest 1721) (Suzanne George)