I want to limit download speed from any IP to 800kbit, (this works) And I want to limit the download speed of marked packets to 400kbit.
I don't get any errors, but it's not limiting the download speed of the packets marked with number 30. I've confirmed with iptables-save -c that the packets are being marked correctly. So I think my filter syntax to pickup handle 30 is wrong, even though there is no error.
/sbin/tc qdisc add dev $DEV handle ffff: ingress
/sbin/tc filter add dev $DEV parent ffff: prio 40 protocol ip handle 30 fw police rate 400kbit burst 10k drop flowid :1
#slightly different order of parameters, also doesn't work
/sbin/tc filter add dev $DEV parent ffff: protocol ip prio 40 handle 30 fw police rate 400kbit burst 10k drop flowid :1
#if I set the priority to 50 then I get an error saying "We have an error talking to the kernel"
#kernel is 4.4.50
/sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 800kbit burst 10k drop flowid :1
A similar tc command (policing rate of marked packets) is given as the following example
$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw police rate 1kbit burst 40 mtu 9k drop flowid :1
http://linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-14.html
The same example also appears here
https://www.iplocation.net/lartc-ddos
If I manually add another rule for a specific IP at an equal priority above the catchall, or lower priority then I can limit speeds to 400kbit/s. But I want to limit speed of packets marked/mangled by iptables.
