similar to: Policing

I''m having trouble getting ingress policing to work on a bridged device. The bridge contains several interfaces: peth0, vif0.0, vif[1-7]0.1, vif[25].1 . (This is under xen, in case the vif''s didn''t give that away, so peth0 is renamed eth0.) The tc rules I have are: tc qdisc del dev peth0 root tc qdisc del dev peth0 ingress handle ffff: tc qdisc add dev peth0 root

Hi all I''m new to this list, but not exactly to iproute stuff. I''d like to solve a specific problem with bandwidth coming from different external sources towards the internal network (also the other way around, but I figure that''s not so much a problem, since that is egress traffic shaping). The network looks like this: internet ------ ISP-------[shaping/router]

Hi, I''m trying to police ingress traffic based on port numbers and IP addresses. The u32 match based on IP addresses seems to work without issues and I''m am able to police incoming packets. However, the same isn''t working with u32 matches based on TCP port numbers. For port numbers, I added exactly one ''u32 match'' rule: common for both: # tc qdisc add

On Tue, 22 Feb 2011 11:15:39 +0100 "PIOTREK H." <komarekmz@tlen.pl> wrote: > Welcome > > I have a problem with the new iproute "iproute2-2.6.37.tar.bz2 07-Jan-2011 9:18 (the problem from version 2010 to 2011). > Three problems: > a) with filters for UDP traffic > problem affects only the queuing traffic to the machine on which you work qos > In the case

Hi, I''m trying to police the incoming traffic by using ingress qdisc,this is what I have in my script tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 4 \ handle 1: u32 divisor 1 tc filter add dev eth0 parent ffff: protocol ip prio 4 u32 \ match ip dport 4001 0xffff \ police rate 2000kbit burst 50k drop \ flowid

Hello everybody on the list, I have the following situation where I want to police the speed of incoming packets from specific subnets to 1024kbps and then police all the rest to 256kbps, which is the speed my ISP grants for the rest of the internet. So, eth1 is the one connected to the cable modem and then to the internet. I do: tc qdisc add dev eth1 ingress handle ffff: then: tc filter

Hi listizens, Complete tc newbie here. I''m in a pinch because of a mail assault on a server. I''ve firewalled away many of the most egregious offenders but non-smtp services are still being DOS''ed because of all the mail traffic. Here is what I''ve tried. (I did say newbie ;) ----------------- #!/bin/sh # # policing parent tc qdisc add dev eth0 handle

Hi, I''m having issues with policing my incoming traffic by matching packet marks made by iptables. I''ve checked as many sites and guides as I can find, and I seem to be doing the exact same thing as they all are, but there''s still no success. As such, I was wondering if anyone can have a quick look to see if I''ve done anything obviously stupid? Essentially, I

Hi stef and all I want measure the policy perfomance for video traffic on mpls diffserv network. there are two different polices for video packet 1. Video packets that are marked that are over the limit are to be rejected at the edge router. 2. Video packets that are marked that are over the limit are to be downgraded as best effort and are sent through. Before video enter my mpls

Hi I''m looking for a quick recipe for a newbie to control http traffic in my linux gw. My internet is overloaded already and vpn external clients are experiencing troubles (disconnecting in peak hours). Any suggestions ? Regards Guillermo Caracas/Venezuela On Thu, 2004-05-06 at 14:40, lartc-request@mailman.ds9a.nl wrote: > Send LARTC mailing list submissions to >

Hi all, I have 2 questions regarding policing 1. What is the problem with policing as in most mesages I can find people say don''t but I have not found a why? 2. I have the egress below working (numbers in example are bogus, I know). How do I add an ingress policy? /* compile this file with tcc filename > limit.sh and run that file */ dev eth1 { egress { class (

Hi all I started playing with tcng to generate my tc rules, but I have some difficulty implementing my rules... The script below generates an error: # Device eth0 tc qdisc add dev eth0 ingress beginner.tc:2: don''t know how to build meter for this The script is below, I changed the real IP numbers for XXs and YYs, since it doesn''t really matter what they are. eth0 is the

Simple police filter below works for IPv4 traffic, but not for IPv6 traffic. Tested with 2.4.26 and 2.6.6 kernel. Am I doing something wrong or is it bug? Same filter logic works with imq+htb for both IPv4 and IPv6 traffic. iptables -A PREROUTING -i eth1.101 -t mangle -j MARK --set-mark 0x101 ip6tables -A PREROUTING -i eth1.101 -t mangle -j MARK --set-mark 0x101 tc qdisc add dev eth1.101

Hi, I notice that if two or more existing connections match an ingress policing filter, the input bandwidth does not get evenly divided up between the n connections. Kinda like litters of baby animals, where the stronger babies get more access to the mothers teats and grow up bigger and faster than their siblings. The only workaround that''s working for me is to set explicit ingress

Hi folks I have created a script file (dsmark+policing.sh attached) to check graphic an text outputs of simutations, against original examples/dsmark+policing coding (see TCNG Reference Manual-pg.90). It uses tcng coding (*.tcsim file attached) and old tc coding (*.tcsim_old file attached) inserted in tcsim files. Observation 1: The graphic outputs from (*.tc included in *.tcsim) and (*.tc_old

Hi, I am trying to do some simple ingress limiting based on fwmark. I know the ability and sense to do INGRESS limiting is ehm... limited ;-) but still I want to try it. I tried several things. === 1 === tcq ingress handle ffff: tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop

On a custom compiled Linux 2.6.13 kernel... # tc qdisc add dev ppp145 handle ffff: ingress # tc filter add dev ppp145 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 384kbit burst 10k drop flowid :1 RTNETLINK answers: Invalid argument This works fine on a CentOS machine and my Fedora Core 2 box with default kernel. I''m trying to figure out what is missing in the

Hi all. Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t work. Sorry for my english. Simple example: iptables -t mangle -I PREROUTING -j MARK --set-mark 1 ${QDISC_ADD} handle ffff: ingress ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \ police rate 128Kbit burst 10k drop flowid 2:11 # tc -s -d qdisc ls dev eth0 qdisc ingress ffff: ----------------

Hi all, I''d like to have multiple polices in an interface with different src address, like that: tc qdisc add dev eth4 handle ffff: ingress tc filter add dev eth4 parent ffff: protocol ip prio 5 u32 match ip src \ 192.168.18.0/24 police rate 128kbit burst 10k drop flowid :1 tc filter add dev eth4 parent ffff: protocol ip prio 5 u32 match ip src \ 192.168.36.0/24 police rate

Hi,lartc I used iproute-060110 with iptables1.3.4 on gentoo 2005r1 kernel 2.6.14-5. I find some error messages in system logfile: HTB: quantum of class 10001 is big. Consider r2q change. HTB: quantum of class 10010 is big. Consider r2q change. tcf_action_init_1: successfull police HTB: quantum of class 20001 is big. Consider r2q change. HTB: quantum of class 20020 is big. Consider