Hi, Is it possible to make a filter with tc which exclude an IP like iptables ?? ex: iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 -j MARK ... I try the ! with tc but it doesn''t work. Thanks, doude. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
doudouyam wrote:> Hi, > Is it possible to make a filter with tc which exclude an IP like > iptables ?? > > ex: > iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 -j MARK ... > > I try the ! with tc but it doesn''t work. > Thanks, > doude.Not directly, but you can just match the address then follow it with a filter that matches everything else. Andy.
On 03-08-2006 18:06, doudouyam wrote:> Hi, > Is it possible to make a filter with tc which exclude an IP like iptables ?? > > ex: > iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 > <http://192.168.1.222> -j MARK ...Maybe there is something like this, I don''t know, but you can try two filters in turn e.g.: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 police drop (or some other "flowid 1:xx" instead of "police drop") # tc filter add dev eth0 parent 1: proto ip pref 101 \ u32 match ip dst 192.168.1.0/24 flowid 1:99 Jarek P.
On 10-08-2006 15:38, Jarek Poplawski wrote: ...> # tc filter add dev eth0 parent 1: proto ip pref 100 \ > u32 match ip dst 192.168.1.222 police dropShould be: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: police \ conform-exceed drop/drop or: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: action drop Jarek P.
Jarek Poplawski wrote:> Should be: > # tc filter add dev eth0 parent 1: proto ip pref 100 \ > u32 match ip dst 192.168.1.222 flowid 1: police \ > conform-exceed drop/dropLooks a bit iffy but I haven''t tried it - I thought that would be drop whether under or over - if it''s valid at all without action/ a police rate. Andy.
On 18-08-2006 12:28, Andy Furniss wrote:> Jarek Poplawski wrote: > >> Should be: >> # tc filter add dev eth0 parent 1: proto ip pref 100 \ >> u32 match ip dst 192.168.1.222 flowid 1: police \ >> conform-exceed drop/drop > > Looks a bit iffy but I haven''t tried it - I thought that would be drop > whether under or over - if it''s valid at all without action/ a police rate.Maybe I should have written: "Should be with a fairly current iproute2 and kernel:". It''s so called "New syntax" ("Old syntax" didn''t work for me), to add exceed action for zero rate. According to help rate and burst should be included, but it works anyway. Jarek P.