On Sunday 09 December 2001 16.01, jamal wrote: > Henrik, > Can you please try the attahed patch against iproute2-2.4.7-now-ss010824? Seems to make the tc userspace program to properly reject the arguments. It is a bit sad that one cannot queue packets in ingress. Would be quite useful to make ingress shaping behave more sane than what can be acheived with the queueless filter police mechanism. netfilter supports queueing/delaying of packets and then resume processing them at a later time using nf_reinject, so I think it should be possible to implement a ingress queue without too much effort.. but then the netfilter queueing seems to be very simplistic only supporting one queue per protocol family and this queueing interface is already used for queueing packets to userspace, so perhaps not as easy as I thought.. Queueing in netfilter works by 1. The queueing mechanism registers it's handler by calling nf_register_queue_handler. Only one queue handler per protocol family is supported. 2. On packets needed to be queued, return NF_QUEUE 3. When the queue handler is done with the packet, it calls nf_reinject with a new verdict. 4. If the packet was not dropped/stolen, netfilter processing continues at the next hook (not priority). The queue handler gets the following information: skb, protocol family, nf hook number, and in/out devices. Regards Henrik
