Hi Trevor, My linux box has 2 interfaces (eth0 and eth1). These are bridged to form br0. All web/email traffic is sent to IMQ (via netfilter) and shaped. The VLAN traffic just has a 4-byte 802.1Q header between the ethernet header and the IP header (which is stripped off by br_netfilter.c so iptables can "see" the underlying IP packet). The problem is the VLAN packets (which contain web/email traffic) are seen and marked by netfilter and pass through IMQ but are not shaped (whereas regular web/email traffic is shaped). At the moment i'm trying to strip the VLAN header before it enters the scheduler and then restore it after it is dequeued (in a similar way that br_netfilter.c does). However, i'm not confident that this will make much difference as it appears that when the skbuff enters the scheduler, skbuff->data already points to the same place as skbuff->nh.raw which is correctly pointing to the IP header. So as far as the scheduler is concerned, it "sees" an IP packet. What was the problem you had with IPSec traffic and how did you overcome it? Regards, John Quoting Trevor Cordes <trevor@xxxxxxxxxxxxx>: > On 8 Sep, John Bothe wrote: > > Hello, > > > > I have a linux box sitting between (and bridging/firewalling) 2 LAN > segments. > > I'm using Bridge/Netfilter/IMQ/tc(htb) to control (shape) mail/web traffic > that > > traverses the 2 networks. > > > > The networks also have some VLAN tagged traffic flying around. My linux box > > behaves OK with VLAN traffic except that the shaping doesn't seem to work. > > Normal http shapes alright but as soon as the http is encapsulated with > VLAN, > > shaping doesn't work - IPtables "sees" that it is http (so firewalling > works) > > and marks it as such in readiness for shaping, but it doesn't seem to be > picked > > up by htb. > > Forgive my ignorance, but what do you mean by "VLAN"? I know that term > can have a couple of different meanings. What's the interface called? > (ie: eth0) > > The reason I ask is perhaps you're getting a similar problem to what I > just posted about regarding not being able to shape traffic going into > IPSEC. > > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
