Dear reader, I'm not updating these pages anymore. If you have tc or ip related questions, you can post them on the LARTC mailing list.

List all filter

If you want to list all the filters, you have to do this for all the possible parents. When you execute

tc filter show dev eth0
it shows only the filter connected to the root qdisc.


You can mark packets with the tools to setup a firewall chains. With kernel 2.4.x, you have to mark with iptables and with kernel 2.2.x you have to use ipchains. These marks are only valid on the shaping box and are lost when you transmit the packet.

The filter fw can use this mark to split the traffic in different classes.

Example marking all packets to destination port 25 (mail) with mark 1 and put them in class 10:2 with filter fw:

iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 -j MARK --set-mark 1
tc filter add dev eth0 parent 10: protocol ip prio 3 handle 1 fw classid 10:2

The MARK is only valid in the mangle table. The mangle itself has two built-in chains : PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing).

Note that you can't flush the chain with

iptables -F
You have to flush it with
iptables -F PREROUTING -t mangle

When you mark a packet on the incoming interface, you can use that mark on the outgoing interface for shaping even if you do masquerading. In the case you are shaping an outgoing masqueraded connection, you have to work like this because you don't know on that outgoing interface where the packet is coming from because the source port is the same for all packets.

This filter is very handy in test setups. You can split traffic based on the destination port. So you can make a very complex CBQ setup with 2 PC's to test the functionality of CBQ. And with the built in firewall counters, you can calculate the bandwidth.

from kernel


With this filter you can split packets by mapping the header with a mask. This can be for example the source and/or destination ports and/or ip-addresses. Command line information : local copy here (Origin). You can almost do the same thing as the combination fw + firewall chains. But this filter will work on bridge and the fw filter will not.

Example put all the packets to host DEST in class 10:2 :

tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst DEST flowid 10:2

from kernel


Splitting based on how the package will be routed.

from kernel


from kernel