Martin Vassilev wrote:
Hi all.
Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t
work.
Sorry for my english.
Simple example:
iptables -t mangle -I PREROUTING -j MARK --set-mark 1
${QDISC_ADD} handle ffff: ingress
${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
police rate 128Kbit burst 10k drop flowid 2:11
# tc -s -d qdisc ls dev eth0
qdisc ingress ffff: ----------------
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
# iptables -t mangle -L -n -v
pkts bytes target prot opt in out source destination
1362 293K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK set 0x1
No problems at 2.4 kernel.
On 2.6 whether policer sees marks or not depends on your kernel config.
If you don't select classifier actions then you get the 2.4 behavior.
Andy.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
