Re: Standalone Shaping

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ales Klok <orrie@xxxxxxxxx> writes:

> Jens Thiele wrote:
>> Hi,
>>
>> I have the same question.
>>
>>   What about
>> Internet -> eth1 -> iptables -> Local Process ?
>>
>> First I thought it should be easy to put a virtual interface in between:
>>
>> Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified
>> dummy) <-> local process or routing <-> eth0 <-> LAN
>>
>> Then I could use egress shaping on eth1 and the virtual device
>> (and have a setup as simple as a "plain router setup")
>>
>> But I did not manage to do this yet. Anybody using a setup like this
>> one? (maybe bridging or iptables -j ROUTE might help? it seems
>> impossible to force a packet to pass through netfilter for a second time)
>>
>> Greetings
>> Jens
>>
> You have to use IMQ for that. IMQ act as "dummy" device which hooks
> itself to iptables after NAT (or before, depends on config) so you can
> use egress shaping on it before packet reach local proces or
> forwarding. You can't use IFB in your case because packet goes to IFB
> before NAT and thus you don't know if it is designated for router
> itself or client behind NAT.

So, if I understand it right in a setup without NAT it would look like:
Internet<->eth1<->IFB<->local process or routing<->eth0<->LAN
and there would be no problem.
I could do egress shaping on eth1 (for "upstream") and egress shaping on
IFB (for "downstream").

In a setup with NAT (and maybe IPSEC) the problem is that if I want to do the
egress shaping at the IFB interface ("downstream") I therefore want the
NAT (and maybe IPSEC) happen before the packets cross the IFB interface.
A picture again:
Internet<->eth1<->NAT<->IFB<->local process or routing<->eth0<->LAN

Is this correct? Is there a solution to reach that goal (other than IMQ)?

Or do I have to use 2 machines if I don't want to use IMQ?

         |       Machine 1   |             Machine 2                  | 
Internet<->eth1<->NAT (maybe IPSEC)<->eth0<->eth1<->local process or routing<->eth0<->LAN

A last more general question:
Is ingress shaping considered useless or why does it seem that difficult
to get it to work?

Greetings
Jens

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux