Hi Everyone,
I''ve played around with this some more, and it would appear that the
policing works fine, it''s just getting the marks detected
that''s a problem.
That is, I''ve changed to a u32 match (as opposed to the fw one that I
was
using), with a filter that is ''u32 match mark $MARK_BULK
0xffffffff''. This
doesn''t get matched at all (ie. I get ''(rule hit 2996312
success 0)'' from a
`filter show`), however a ''u32 match mark 0 0xffffffff'' works
perfectly -
matches every single packet. As far as I understand, that means that that
filter is perceiving every single packet to have a mark of exactly 0,
correct?
I''m curious as to how I can detect the packets properly: at the moment,
my
mangle table is something like this:
$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A PREROUTING -j RETURN
$IPTABLES -t mangle -A INPUT -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A INPUT -j RETURN
$IPTABLES -t mangle -A FORWARD -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A FORWARD -j RETURN
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A OUTPUT -j RETURN
$IPTABLES -t mangle -A POSTROUTING -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A POSTROUTING -j RETURN
so I''m pretty sure there''s *no* chance of packets not getting
marked. :-)
however, they simply arn''t detected. :~( Any ideas?
As a followup, where exactly does the ingress and egress shaping and
policing get applied in relation to the iptables rules? Specifically, where
do the filters get applied in context of this picture:
http://foldoc.thexdershome.com/iptables/images/tables_traverse.jpg (sorry
for the hotlinking). At a guess, I''d speculate that ingress is where
the
"routing decision" is (near the top), and egress is right at the end,
down
the bottom?
The reason I''m asking that is because I''m curious as to which
tables should
have the marking rules to ensure they get detected properly. Also, I''m
curious as to if NAT and other modifications would have been applied to
packets before they''re worked on by tc rules.
Thanks for your help, and apologies for the long post. :-)
Cheers! Happy New Year! :-)
Michael Sallaway
> -----Original Message-----
> From: lartc-bounces@mailman.ds9a.nl
> [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Michael
> Sent: Tuesday, 27 December 2005 2:18 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Ingress policing (matching netfilter marks)
>
> Hi,
>
> I''m having issues with policing my incoming traffic by
> matching packet marks
> made by iptables. I''ve checked as many sites and guides as I
> can find, and I
> seem to be doing the exact same thing as they all are, but
> there''s still no
> success. As such, I was wondering if anyone can have a quick
> look to see if
> I''ve done anything obviously stupid?
>
> Essentially, I can get the egress working fine, matching
> packets based on
> criteria in iptables. However, doing the same for ingress using:
> `tc qdisc add dev $DEV handle ffff: ingress`
> `tc filter add dev $DEV parent ffff: protocol ip prio 1
> handle $MARK_BULK fw
> police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1`
>
> does nothing: packets go through the qdisc fine, but nothing
> matches the
> filter:
>
> michael@bob:~$ sudo tc -s -d qdisc show dev ppp0
> qdisc ingress ffff: ----------------
> Sent 47169399 bytes 46532 pkts (dropped 0, overlimits 0)
>
> michael@bob:~$ sudo tc -s -d filter show dev ppp0 root
> filter parent ffff: protocol ip pref 1 fw
> filter parent ffff: protocol ip pref 1 fw handle 0x1e classid
> :1 police
> 0x28 rate 600000bit burst 8Kb mtu 2Kb action drop
> ref 1 bind 1
>
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
> I suspected I just might not be marking things correctly, so
> I tried u32
> matching 0.0.0.0/0 - that worked fine, but for _all_ traffic
> (as it should).
> So I tried marking *every* packet with $MARK_BULK (and
> verified that the
> mark was correct using a log match, and watching the syslog
> file) in both
> prerouting and postrouting chains, yet this didn''t help either.
>
> Regardless of what I do, I can''t get the above filter to
> match anything at
> all - I''m sure the packets are marked correctly, I just
can''t
> match them.
> Any ideas?
>
> (I''ll copy my entire configs below for reference if needed.)
>
> Cheers!
> Michael
>
>
>
> ####################### CONFIG FILES - firewall
> #######################
>
> #!/bin/bash
>
> ##############################################################
> #############
> #
> # Custom functions and configuration
> #
>
> RetrieveIP() {
> nic="$1"
> TEMP=""
>
> if ! /sbin/ifconfig | grep $nic > /dev/null; then
> echo -e "\n\n interface $nic does not exist...
> Aborting!"
> exit 1;
> fi
>
> TEMP=`ifconfig $nic | awk ''/inet addr/ { gsub(".*:",
> "", $2) ; print
> $2 }''`
>
> if [ "$TEMP" = '''' ]; then
> echo "Aborting: Unable to determine the IP of
> $nic ... DHCP
> problem?"
> exit 1
> else
> echo "$TEMP"
> fi
> }
>
>
> #### 1.1 Internet Configuration.
> INET_IFACE="ppp0"
> INET_IP=`RetrieveIP $INET_IFACE`
>
> #### 1.2 Local Area Network configuration.
> LAN_IFACE="eth0"
> LAN_IP=`RetrieveIP $LAN_IFACE`
> LAN_IP_RANGE="192.168.0.0/24"
>
> #### 1.4 Localhost Configuration.
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
>
> #### 1.5 IPTables Configuration.
> IPTABLES="/sbin/iptables"
>
> #### 1.6 Misc Configuration.
> #MARK_FORWARD=$[2#00000001]
> #MARK_PRIORITY=$[2#00000010]
> #MARK_GENERAL=$[2#00000100]
> #MARK_BULK=$[2#00001000]
>
> MARK_FORWARD=1
> MARK_PRIORITY=10
> MARK_GENERAL=20
> MARK_BULK=30
>
> DUMPER_IP="192.168.0.6"
>
>
> ##############################################################
> #############
> #
> # Firewall START function
> #
>
> firewall_start ()
> {
> ######## 3.1 Required proc configuration
>
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # no IP spoofing
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for i in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $i
> done
> fi
>
> # Disable Source Routed Packets
> for i in /proc/sys/net/ipv4/conf/*/accept_source_route
> do
> echo 0 > $i
> done
>
>
> ########
> ######## 4. rules set up.
> ########
>
> ######## 4.1 Filter table
>
>
> #### 4.1.1 Set policies
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
>
> #### 4.1.2 Create userspecified chains
>
> # Create chain for bad tcp packets
> $IPTABLES -N bad_tcp
>
> # Create separate chains for ICMP, TCP and UDP to traverse
> $IPTABLES -N tcp_packets
> $IPTABLES -N udp_packets
> $IPTABLES -N icmp_packets
> $IPTABLES -N common
>
>
> #### 4.1.3 Create content in userspecified chains
>
> # bad_tcp chain
> $IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
> --state NEW -j REJECT --reject-with tcp-reset
> $IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "New not syn:"
> $IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP
>
> # TCP rules
> $IPTABLES -A tcp_packets -p tcp --dport 20 -j common
> $IPTABLES -A tcp_packets -p tcp --dport 21 -j common
> $IPTABLES -A tcp_packets -p tcp --dport 22 -j common
> $IPTABLES -A tcp_packets -p tcp --dport 80 -j common
> $IPTABLES -A tcp_packets -p tcp --dport 443 -j common
>
> # UDP ports
> #$IPTABLES -A udp_packets -p udp --destination-port 53 -j common
>
> # ICMP rules
> $IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j common
> $IPTABLES -A icmp_packets -p icmp --icmp-type 11 -j common
>
> # common chain
> $IPTABLES -A common -p tcp --syn -j ACCEPT
> $IPTABLES -A common -p tcp -m state --state
> ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A common -p tcp -j DROP
> $IPTABLES -A common -p ! tcp -j ACCEPT
>
>
> #### 4.1.4 INPUT chain
>
> # Bad TCP packets we don''t want.
> $IPTABLES -A INPUT -p tcp -j bad_tcp
>
> # Rules for special networks not part of the Internet
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
>
> # Rules for incoming packets from the internet.
> $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE -j tcp_packets
> $IPTABLES -A INPUT -p udp -i $INET_IFACE -j udp_packets
> $IPTABLES -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
>
> # Log weird packets that don''t match the above.
> $IPTABLES -A INPUT -m limit --limit 6/minute
> --limit-burst 6 -j LOG
> --log-level DEBUG --log-prefix "iptables INPUT: "
>
>
> #### 4.1.5 FORWARD chain
>
> # Bad TCP packets we don''t want
> $IPTABLES -A FORWARD -p tcp -j bad_tcp
>
> # Accept the packets we actually want to forward
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m connmark --mark
> $MARK_FORWARD/$MARK_FORWARD
> -j ACCEPT
> # $IPTABLES -A FORWARD -j ACCEPT
>
> # Log weird packets that don''t match the above.
> $IPTABLES -A FORWARD -m limit --limit 6/minute
> --limit-burst 6 -j
> LOG --log-level DEBUG --log-prefix "iptables FORWARD: "
>
>
> #### 4.1.6 OUTPUT chain
>
> # Bad TCP packets we don''t want.
> $IPTABLES -A OUTPUT -p tcp -j bad_tcp
>
> # Special OUTPUT rules to decide which IP''s to allow.
> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
>
> # Log weird packets that don''t match the above.
> $IPTABLES -A OUTPUT -m limit --limit 6/minute
> --limit-burst 6 -j LOG
> --log-level DEBUG --log-prefix "iptables OUTPUT: "
>
>
>
>
> ######## 4.2 nat table
>
> #### 4.2.1 Set policies
>
> #### 4.2.2 Create user specified chains
>
> #### 4.2.3 Create content in user specified chains
>
> #### 4.2.4 PREROUTING chain
>
> # Emule stuff - forward to DUMPER
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp
> --dport 4662 -d
> $INET_IP -j DNAT --to-destination $DUMPER_IP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp
> --dport 4672 -d
> $INET_IP -j DNAT --to-destination $DUMPER_IP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp
> --dport 34567
> -d $INET_IP -j DNAT --to-destination $DUMPER_IP
>
> #### 4.2.5 POSTROUTING chain
>
> # Enable simple IP Forwarding and Network Address Translation
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
> --to-source
> $INET_IP
>
> #### 4.2.6 OUTPUT chain
>
>
>
>
> ######## 4.3 mangle table
>
> #### 4.3.1 Set policies
>
> #### 4.3.2 Create user specified chains
>
> #### 4.3.3 Create content in user specified chains
>
> #### 4.3.4 PREROUTING chain
>
> # Forwarding marks for packets that have to go to the internal
> network
> # Emule
> # Debugging - set EVERYTHING to BULK
> # $IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
>
> $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp
> --dport 4662
> -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
> $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p udp
> --dport 4672
> -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
> $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp --dport
> 34567 -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
>
> # Shaping and throttling marks for the shaper script
> (downstream)
> # Priority traffic: All UDP, ICMP, and SSH
> $IPTABLES -t mangle -A PREROUTING -p udp -j MARK --or-mark
> $MARK_PRIORITY
> $IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --or-mark
> $MARK_PRIORITY
> $IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK
> --or-mark $MARK_PRIORITY
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j MARK
> --or-mark $MARK_PRIORITY
>
> # General traffic: Web stuff
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A PREROUTING -p tcp --sport 80 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A PREROUTING -p tcp --sport 443 -j MARK
> --or-mark $MARK_GENERAL
>
> # Everything else - put it on BULK traffic
> $IPTABLES -t mangle -A PREROUTING -m mark --mark
> 0/$[$MARK_BULK |
> $MARK_GENERAL | $MARK_PRIORITY] -j MARK --or-mark $MARK_BULK
>
> # Detection logs. Used for debugging to ensure markings
> are correct.
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG
> --log-prefix "IPT -
> MARK det FWD"
> # $IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG
> --log-prefix "IPT -
> CONN det PRIO"
> # $IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG
> --log-prefix "IPT -
> CONN det GEN"
> # $IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix
> "IPT - CONN det
> BULK"
>
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG --log-prefix
> "MARK_PRIORITY "
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_PRIORITY -j
> LOG --log-level DEBUG --log-prefix "MARK_PRIORITY EX "
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG --log-prefix
> "MARK_GENERAL "
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_GENERAL -j
> LOG --log-level DEBUG --log-prefix "MARK_GENERAL EX "
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix "MARK_BULK
> "
> # $IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_BULK -j LOG
> --log-level DEBUG --log-prefix "MARK_BULK EX "
>
> # $IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG --log-prefix
> "FORWARDING... "
>
> # Debugging - set EVERYTHING to BULK
> # $IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
>
>
> #### 4.3.5 INPUT chain
>
> #### 4.3.6 FORWARD chain
>
> #### 4.3.7 OUTPUT chain
>
> #### 4.3.8 POSTROUTING chain
>
> # Shaping and throttling marks for the shaper script (upstream)
> # Priority traffic: TOS packets, all UDP, ICMP, SSH
> $IPTABLES -t mangle -A POSTROUTING -m tos --tos
> Minimize-Delay -j
> MARK --or-mark $MARK_PRIORITY
> $IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --or-mark
> $MARK_PRIORITY
> $IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --or-mark
> $MARK_PRIORITY
> $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK
> --or-mark $MARK_PRIORITY
> $IPTABLES -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK
> --or-mark $MARK_PRIORITY
>
> # Normal traffic: Web, SSL, ACKs
> $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK
> --or-mark $MARK_GENERAL
> $IPTABLES -t mangle -A POSTROUTING -p tcp -m length
> --length :64 -j
> MARK --or-mark $MARK_GENERAL
>
> # Bulk traffic: everything else by default
> $IPTABLES -t mangle -A POSTROUTING -m tos --tos
> Maximize-Throughput
> -j MARK --or-mark $MARK_BULK
>
> # Debugging - set EVERYTHING to BULK
> # $IPTABLES -t mangle -A POSTROUTING -j MARK --set-mark $MARK_BULK
> }
>
>
>
> firewall_stop ()
> {
> # proc configuration
>
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # IP spoofing
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for i in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 0 > $i
> done
> fi
>
>
> # reset the default policies in the filter table.
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> # reset the default policies in the nat table.
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
>
> # reset the default policies in the mangle table.
> $IPTABLES -t mangle -P PREROUTING ACCEPT
> $IPTABLES -t mangle -P POSTROUTING ACCEPT
> $IPTABLES -t mangle -P INPUT ACCEPT
> $IPTABLES -t mangle -P OUTPUT ACCEPT
> $IPTABLES -t mangle -P FORWARD ACCEPT
>
> # flush all the rules in the tables.
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
>
> # erase all chains that''s not default in the tables.
> $IPTABLES -X
> $IPTABLES -t nat -X
> $IPTABLES -t mangle -X
> }
>
>
>
> case "$1" in
> start)
> firewall_start
> ;;
> stop)
> firewall_stop
> ;;
> restart|force-reload)
> firewall_stop
> sleep 1
> firewall_start
> ;;
> *)
> echo "Usage: firewall {start|stop|restart}" >&2
> exit 3
> ;;
> esac
>
>
>
>
>
>
>
> ####################### CONFIG FILES - shaper #######################
>
> #!/bin/bash
>
> ##############################################################
> #############
> #
> # Environment variables
> #
>
> DEV=ppp0
> UPSTREAM=192
> DOWNSTREAM=600
> BURST=64
>
> #MARK_FORWARD=$[2#00000001]
> #MARK_PRIORITY=$[2#00000010]
> #MARK_GENERAL=$[2#00000100]
> #MARK_BULK=$[2#00001000]
>
> MARK_FORWARD=1
> MARK_PRIORITY=10
> MARK_GENERAL=20
> MARK_BULK=30
>
>
>
> ##############################################################
> #############
> #
> # Script functions
> #
>
> #### Status report
> shaper_status ()
> {
> tc -s class ls dev $DEV
> tc -s qdisc ls dev $DEV
> }
>
>
> #### Stop function
> shaper_stop ()
> {
> tc qdisc del dev $DEV root 2> /dev/null
> tc qdisc del dev $DEV ingress 2> /dev/null
> }
>
>
> ##############################################################
> #############
> #
> # Start function
> #
>
> shaper_start ()
> {
> #### Upstream
>
> # Install HTB qdisc with three classes and rate limting
> tc qdisc add dev $DEV root handle 1: htb default 30 r2q 2
> tc class add dev $DEV parent 1: classid 1:1 htb rate
> ${UPSTREAM}kbit
> ceil ${UPSTREAM}kbit burst 8k cburst 2k
> tc class add dev $DEV parent 1:1 classid 1:10 htb rate
> $[4*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 1
> tc class add dev $DEV parent 1:1 classid 1:20 htb rate
> $[3*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 2
> tc class add dev $DEV parent 1:1 classid 1:30 htb rate
> $[3*$UPSTREAM/10]kbit ceil $[6*$UPSTREAM/10]kbit prio 3 burst
> 1024 cburst
> 1024
>
> # Install qdiscs to maximise the efficiency of each class
> tc qdisc add dev $DEV parent 1:10 handle 10: pfifo limit 25
> tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
> tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
>
> # Apply filtering based on packets matched in the firewall
> tc filter add dev $DEV parent 1: prio 1 protocol ip handle
> $MARK_PRIORITY fw flowid 1:10
> tc filter add dev $DEV parent 1: prio 2 protocol ip handle
> $MARK_GENERAL fw flowid 1:20
> tc filter add dev $DEV parent 1: prio 3 protocol ip handle
> $MARK_BULK fw flowid 1:30
>
> #### Downstream
>
> # Attach ingress qdisc
> tc qdisc add dev $DEV handle ffff: ingress
>
> # Police everything but high priority traffic
> # tc filter add dev $DEV parent ffff: protocol ip prio 1 handle
> $MARK_BULK fw police rate ${DOWNSTREAM}kbit burst
> ${BURST}kbit drop flowid
> :1
>
> tc filter add dev $DEV parent ffff: protocol ip prio 1 handle
> $MARK_BULK fw
> police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1
>
> #tc filter add dev $DEV parent ffff: protocol ip prio 1 u32
> match ip src
> 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit
> drop flowid :1
>
> #tc filter add dev $DEV parent ffff: protocol ip prio 50 u32
> match ip src
> 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit
> drop flowid :1
>
> # tc filter add dev $DEV parent ffff: protocol ip handle
> $MARK_BULK \
> # fw flowid :1 police rate ${DOWNSTREAM}kbit
> burst ${BURST}
> action drop
> }
>
>
> case "$1" in
> start)
> shaper_start
> ;;
> stop)
> shaper_stop
> ;;
> restart|force-reload)
> shaper_stop
> sleep 1
> shaper_start
> ;;
> status)
> shaper_status
> ;;
> *)
> echo "Usage: adsl-shaper
> {start|stop|restart|status}" >&2
> exit 3
> ;;
> esac
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>