iproute tc with ingres qdisc

To: <debian-firewall@lists.debian.org>
Subject: iproute tc with ingres qdisc
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Fri, 2 Nov 2001 15:15:23 +0200 (IST)
Message-id: <[🔎] Pine.GSO.4.33_heb2.09.0111021455280.107-100000@techunix.technion.ac.il>

Hi

I'm trying to establish some sort of control over downloads-rate . The
Advanced Routing HOWTO seems to suggest that the ingres queue discipline
may help here.

I want to see if indeed it has any noticable effect.

Documentation here is lacking. My current script is a variation of the
syn-flood limitation script from the iproute examples.


#!/bin/sh -x

#
# sample script on using the ingress capabilities
# this script shows how one can rate limit incoming SYNs
# Useful for TCP-SYN attack protection. You can use
# IPchains to have more powerful additions to the SYN (eg
# in addition the subnet)
#
#path to various utilities;
#change to reflect yours.
#
TC=/sbin/tc
IP=/sbin/ip
IPCHAINS=/sbin/ipchains
CHAIN=mark-in
MARK=1
INDEV=eth1
ING_HANDLE="ffff"
#
# tag all incoming SYN packets through $INDEV as mark value 1
############################################################
#$iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
#$iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
#  -j MARK --set-mark 1
$IPCHAINS --flush $CHAIN
for addr in [a list of IP addresses]; do
  $IPCHAINS -A $CHAIN -p tcp -d ${addr} --mark ${MARK}
done

############################################################
#
# install the ingress qdisc on the ingress interface
############################################################
#$TC qdisc add dev $INDEV root handle 1: root cbq bandwidth 100Mbit avpkt 1000 \
#    mpu 64
$TC qdisc add dev $INDEV root handle ${ING_HANDLE}: ingress
############################################################

#
#
# SYN packets are 40 bytes (320 bits) so three SYNs equals
# 960 bits (approximately 1kbit); so we rate limit below
# the incoming SYNs to 3/sec (not very useful really; but
#serves to show the point - JHS
############################################################
$TC filter add dev $INDEV parent ${ING_HANDLE}: protocol ip prio 50 handle
1 fw \
    police rate 16kbps burst 40 mtu 9k drop flowid :1
############################################################


#
echo "---- qdisc parameters Ingress  ----------"
$TC qdisc ls dev $INDEV
echo "---- Class parameters Ingress  ----------"
$TC class ls dev $INDEV
echo "---- filter parameters Ingress ----------"
$TC filter ls dev $INDEV parent ${ING_HANDLE}:

#deleting the ingress qdisc
#$TC qdisc del $INDEV ingress


The output from the end of the script (after the ipchains parts. the '+
... is because of running it with '-x'):

+ /sbin/tc qdisc add dev eth1 root handle ffff: ingress
RTNETLINK answers: Invalid argument
+ /sbin/tc filter add dev eth1 parent ffff: protocol ip prio 50 handle 1
fw police rate 16kbps burst 40 mtu 9k drop flowid :1
RTNETLINK answers: Invalid argument
+ echo '---- qdisc parameters Ingress  ----------'
---- qdisc parameters Ingress  ----------
+ /sbin/tc qdisc ls dev eth1
+ echo '---- Class parameters Ingress  ----------'
---- Class parameters Ingress  ----------
+ /sbin/tc class ls dev eth1
+ echo '---- filter parameters Ingress ----------'
---- filter parameters Ingress ----------
+ /sbin/tc filter ls dev eth1 parent ffff:


And basically nothing happens.

I'm obviously doing something wrong, however I can't find much
documentation as to what is wrong. I have done various searches and read
various guides, but I still no luck.. Any direct help or pointers to
useful resources would be appreciated.

The system is kernel 2.2/woody

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

Prev by Date: RE: NetBIOS? problem
Next by Date: OT: Apology was Re: be hot
Previous by thread: RE: NetBIOS? problem
Next by thread: OT: Apology was Re: be hot
Index(es):
- Date
- Thread