similar to: u32 filter question

hello, I have working htb system with about 1000 users. Until now I reload all rules at change, but it take too much time to apply. I cannot delete applyed filters. There is rules for one user: #!/bin/bash -v # Download shaper EX -> 2:20 /sbin/tc class add dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:1775 sfq perturb

Hello, i made this script : tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 138.96.20.0 police index 1 rate 20000kbit burst 20000kbit drop flowid :1 tc filter add dev eth0 parent ffff:1 protocol ip prio 1 u32 match ip src 138.96.20.23 police index 2 rate 15000kbit burst 15000kbit drop flowid :2 tc filter add dev eth0 parent

Hi folks...!!! I´ve a problem that i did not solve it. i want to limit the DOWNLOAD to my hosts (upstream traffic for the firewall) using IMQ, If i classify by PORT (source or destination) all seems to be fine, but...BUT...if i want to restrict by IP addresss (internal IP address) i can´t do it, because my hosts go to Internet toward the firewall using NAT, so after NAT my IP address in

Thanks for quick reply Andreas! > Every class is allowed to use bandwidth as long as it does not have to > borrow (the specified rate is guaranteed). Prio in HTB only affects > borrowing bandwidth from other classes... In the example below, the class > 1:5 should be allowed to borrow bandwidth before 1:14 does. Thats exactly what I want from HTB to do..to prio the borrowed bandwidth.

Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several

Hello, with the command : tc filter add dev eth0 parent ffff: protocol ip u32 patch ip src 192.168.2.6police rate 10000kbit burst 10000kbit drop flowid :1 we can limit traffic coming from 192.168.2.6. I would like: for 192.168.1.2, 192.168.1.4 limit to 10mbit for 192.168.1.3, 192.168.1.5 limit to 20mbit other ip would have no limit. Is it possible with tc ? Regards Olivier.

Hello... Im trying to setup HTB to allow me to shape traffic from two upstreams that meets on single lan0 interface. I prefer to use HTB qdisc within HTB root qdisc for cleaner rules design. Seems that it doesnt work at all. tc -s class show doesnt show any traffic on other classes attached to HTB qdisc. Linux 2.6.20.7 iproute-2.6.20-070313 Weird thing is that tc -s class show that 1: and 2:

Thanks: To Stef and Tobias Geiger for giving me the answer. I used the prio to get the order right. Don't know why I did'nt think of it myself. Compression: Another thing that might be useful to the list is the use of compression (Deflate etc.) to get better bandwidth across links. This requires a Linux router at both ends of the link. I got the idea from a product called Peribit see

My hfsc rule .. tc qdisc add dev eth2 handle 1: root hfsc iptables -t mangle -N ms-all iptables -t mangle -N ms-all-chains iptables -t mangle -N ms-prerouting iptables -t mangle -A PREROUTING -j ms-prerouting iptables -t mangle -A ms-prerouting -j CONNMARK --restore-mark iptables -t mangle -A ms-prerouting -p udp --dport 4444 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p udp -m

Hi, I am trying to put together a hashing filter based on example provided in LARTC how-to document. I want to link two hashing filters together where first one will use 3rd octet of an IP address as hashkey and second one will use 4th octet as hash key. How do I tell mask the address so that u32 filter uses 3rd octet as hashkey? Venkatesh K _______________________________________________

after i use "tc -s -d class ls dev eth0" will show statistic data about HFSC ,like this root@ubuntu:/home/shaper# tc -s -d class ls dev eth2 class hfsc 1: root Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844792199226589188 bytes rtwork 20937281664 bytes level 3461036864 class hfsc 1:11 parent 1:1 sc m1 30720Kbit d 10.0ms m2 30000bit ul m1 0bit d 0us m2

Hi Is there a way of marking packets by mac address instead of ip or ports using a "tc filter u32 match"? I read somewhere that I could use the offset -8 and -14 to grab the mac addresses but if I use anything lower than -8, for example -9, I get an error. I''m modifying the wondershaper script to cap the download speed by mac address. Any sugestions?

Hi all: I am getting this error message in my syslog after a few hours of running my QoS. First i suposed it was a memory sims problem, but i have changed them and i have the same problem. Here is the error message: Oct 20 16:52:23 pototogorri /usr/bin/sudo: apache : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/sbin/iptables -t nat -D PREROUTI Oct 20 16:52:23 pototogorri

Hello I have few questions regarding tc functionality (qdiscs, classes, etc.) when vlans are in use. For example, consider interface eth0, for which I create and extra vlan with vconfig, let''s say eth0.11. Then using tc I can add usual things - qdiscs, filters, ... - to both eth0 and eth0.11. The questions are: - on which interface - virtual or real, should I actually use tc ? Or

Hi, got a 25/25Mbit connection which is quite stuffed. So I applied htb rules. Uplink: class htb 1:1 root rate 24500Kbit ceil 24500Kbit burst 4661b/8 mpu 0b overhead 0b cburst 4661b/8 mpu 0b overhead 0b level 7 Sent 430600689269 bytes 730147320 pkt (dropped 0, overlimits 0 requeues 0) rate 23057Kbit 5520pps backlog 0b 0p requeues 0 lended: 199673949 borrowed: 0 giants: 0 tokens: -964

I have to match my packets based on MAC address, which I cannot do in the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this does not seem to work: wireless-r1 bwlimit # iptables -L -v -n -t mangle Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes) pkts bytes target prot opt in out source

Hi there, We recently upgraded to 2.2.12 (the current version in FreeBSD's port tree), and are seeing these errors in our logs (not super frequently, but it happens): May 30 13:20:57 mail1 kernel: pid 15752 (imap), uid 1005: exited on signal 6 May 30 13:20:57 mail1 dovecot: imap(xxx): Fatal: master: service(imap): child 15752 killed with signal 6 (core not dumped - set service imap {

Hello, I am trying to use tc to drop packets based on the ip identification field in the ip header, I am trying to drop incomming packets with the ip identification field egual with 15: tc qdisc del dev eth0 ingress tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip protocol 6 0xff flowid 1:1 match u16 0x000f 0xffff at 4 action drop tc

After checking f_u32.c sources, there''s one extra parameter parsed - indev, that is nowhere described - not even in commandline help or in excellent Russell''s documentation. Does anyone know, what''s the purpose of it ?

I was wondering with the current u32 filter implementation, is there a way to get beyond the tcp header to the packet payload to filter upon that? Any help is very much appreciated. Thanks. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc