How are packets treated that do not match any of the filters?

Depends on the program you use for filtering and the type of filtering you use.

If you're using blacklist filtering then any packets which do not match any filters are allowed.

If you're using whitelist filtering then any packets which do not match and filters are blocked.

Whitelist is more secure and usually preferred on intranet traffic. For internet traffic blacklisting is usually used considering the mass of information.

Does this answer your question? If not you'll have to provide more information.

Looking at an example from "Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter":

/* Root qdisc */
tc qdisc add dev eth1 root handle 10: htb

/* Child class */
tc class add dev eth1 parent 10:0 classid 10:10 htb rate 100Mbit

/* Client class #1 qdisc and filter */
tc class add dev eth1 parent 10:10 classid 10:100 htb rate 1Mbit
tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15
tc filter add dev eth1 protocol ip parent 10:0 prio 5 u32 match ip dst 1.1.1.1 flowid 10:100

/* Client class #2 qdisc and filter */
tc class add dev eth1 parent 10:10 classid 10:200 htb rate 4Mbit
tc qdisc add dev eth1 parent 10:200 sfq quantum 1514b perturb 15
tc filter add dev eth1 parent 10:0 protocol ip prio 5 u32 match ip dst 1.1.2.0/24 flowid 10:200

/* Client class #3 qdisc and filter */
tc class add dev eth1 parent 10:10 classid 10:300 htb rate 5Mbit
tc qdisc add dev eth1 parent 10:300 sfq quantum 1514b perturb 15
tc filter add dev eth1 parent 10:0 protocol ip prio 5 u32 match ip dst 1.1.1.2 flowid 10:300
tc filter add dev eth1 parent 10:0 protocol ip prio 5 u32 match ip dst 1.1.3.0/24 flowid 10:300


What will happen to a packet addressed to a destination that is not specified by one of the filters, e.g., 10.174.100.101?

I was able to get my traffic control working and saw that traffic that is not specified by a filter does indeed go through. The question I have now is how can I delete a filter without affecting the other filters. Here are the commands I used to initialled create the qdiscs, classes, and filters:

/root/tc qdisc add dev eth0 root handle 2 htb default 1
/root/tc class add dev eth0 parent 2: classid 2:6 htb rate 12Mbit


Connection #1
/root/tc class add dev eth0 parent 2:6 classid 2:100 htb rate 350Kbit
/root/tc qdisc add dev eth0 parent 2:100 sfq
/root/tc filter add dev eth0 parent 2: protocol ip pref 1 u32 match ip src 10.175.1.2 match ip dst 10.174.100.101 match ip sport 32867 0xffff match ip dport 5111 0xffff match ip protocol 17 0xff classid 2:100

Connection #2
/root/tc class add dev eth0 parent 2:6 classid 2:101 htb rate 550Kbit
/root/tc qdisc add dev eth0 parent 2:101 sfq
/root/tc filter add dev eth0 parent 2: protocol ip pref 1 u32 match ip src 10.175.1.2 match ip dst 10.174.100.101 match ip sport 32866 0xffff match ip dport 5222 0xffff match ip protocol 17 0xff classid 2:101


After a connection is destroyed, I want to delete the filter for that connection. Say Connection #1 is destroyed first. If I run:

/root/tc filter del dev eth0 parent 2: protocol ip pref 1 u32 match ip src 10.175.1.2 match ip dst 10.174.100.101 match ip sport 32867 0xffff match ip dport 5111 0xffff match ip protocol 17 0xff classid 2:100


BOTH filters get deleted. How can I delete a single filter without deleting other filters? I want to use classid 2:101 for another connection after Connection #1 is destroyed.

I should have said, "I want to use classid 2:100 (NOT 101) for another connection after Connection #1 is destroyed" in the above post.