Hi guys , i am starting to "play" with qos in linux. Well , i am trying to setup an ingress filter but i do not know why it is not working. tc add qdisc dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 160kbit burst 256kbit drop flowid :1 After that : iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 So , i think this should make all traffic from port 80 be filtered by tc , does it ? But it is not working , i keep downloading at full speed from port 80. Any help ? -- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
Salatiel Filho wrote:> Hi guys , i am starting to "play" with qos in linux. Well , i am > trying to setup an ingress filter but i do not know why it is not > working. > > tc add qdisc dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > police rate 160kbit burst 256kbit drop flowid :1 > > After that : > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > So , i think this should make all traffic from port 80 be filtered by > tc , does it ? > > But it is not working , i keep downloading at full speed from port 80. > > Any help ? >I think becasue the MARK-ing is done after the ingress. Better use u32 on ingress.
On 2/4/07, Alexandru Dragoi <alex@zoomnet.ro> wrote:> Salatiel Filho wrote: > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > trying to setup an ingress filter but i do not know why it is not > > working. > > > > tc add qdisc dev eth0 ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > police rate 160kbit burst 256kbit drop flowid :1 > > > > After that : > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > So , i think this should make all traffic from port 80 be filtered by > > tc , does it ? > > > > But it is not working , i keep downloading at full speed from port 80. > > > > Any help ? > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > on ingress. >I did not know that :D Now i am gonna try to understand u32. 2 doubts : 1) Do tc filters work like iptables [ First match stops the chain ] ? 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and can go till 256 ? rate 160 and can go till 160 + 256 ? -- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
On 2/4/07, Salatiel Filho <salatiel.filho@gmail.com> wrote:> > On 2/4/07, Alexandru Dragoi <alex@zoomnet.ro> wrote: > > Salatiel Filho wrote: > > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > > trying to setup an ingress filter but i do not know why it is not > > > working. > > > > > > tc add qdisc dev eth0 ingress > > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > > police rate 160kbit burst 256kbit drop flowid :1 > > > > > > After that : > > > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > > > So , i think this should make all traffic from port 80 be filtered by > > > tc , does it ? > > > > > > But it is not working , i keep downloading at full speed from port > 80. > > > > > > Any help ? > > > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > > on ingress. > > > > I did not know that :D > Now i am gonna try to understand u32.Once I wanted to do something similar and worked ok with u32. 2 doubts :> > 1) Do tc filters work like iptables [ First match stops the chain ] ? > 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and > can go till 256 ? rate 160 and can go till 160 + 256 ?Rate 160 and can allow until 256. --> []''s > Salatiel > > "O maior prazer do inteligente é bancar o idiota > diante de um idiota que banca o inteligente". > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 2/4/07, Georgy Zhukov <zhukov@gawab.com> wrote:> > > On 2/4/07, Salatiel Filho <salatiel.filho@gmail.com> wrote: > > On 2/4/07, Alexandru Dragoi <alex@zoomnet.ro> wrote: > > > Salatiel Filho wrote: > > > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > > > trying to setup an ingress filter but i do not know why it is not > > > > working. > > > > > > > > tc add qdisc dev eth0 ingress > > > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > > > police rate 160kbit burst 256kbit drop flowid :1 > > > > > > > > After that : > > > > > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > > > > > So , i think this should make all traffic from port 80 be filtered by > > > > tc , does it ? > > > > > > > > But it is not working , i keep downloading at full speed from port > 80. > > > > > > > > Any help ? > > > > > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > > > on ingress. > > > > > > > I did not know that :D > > Now i am gonna try to understand u32. > > Once I wanted to do something similar and worked ok with u32.Well , according to : http://www.lartc.org/lartc.html#LARTC.ADV-QDISC.INGRESS It should work , see this : ############################################################ $iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \ -j MARK --set-mark 1 ############################################################ # # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV handle ffff: ingress ############################################################ # # # SYN packets are 40 bytes (320 bits) so three SYNs equals # 960 bits (approximately 1kbit); so we rate limit below # the incoming SYNs to 3/sec (not very useful really; but #serves to show the point - JHS ############################################################ $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ police rate 1kbit burst 40 mtu 9k drop flowid :1 ############################################################> > > 2 doubts : > > > > 1) Do tc filters work like iptables [ First match stops the chain ] ?what about this first question> > 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and > > can go till 256 ? rate 160 and can go till 160 + 256 ? > > Rate 160 and can allow until 256. > > > -- > > []''s > > Salatiel > > > > "O maior prazer do inteligente é bancar o idiota > > diante de um idiota que banca o inteligente". > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > >-- []''s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".