On Mon, 2012-03-26 at 12:50 +0200, Marco Gaiarin wrote: <snip> > And sorry to the list for my arrivial... my previous messages are > about: > > http://opalsoft.net/qos/DS-27.htm > > where seems that we can do ingress filtering based of fwmarks. > > > Andy and Andrew reply me with: > > http://jengelh.medozas.de/images/nf-packet-flow.png > > explaining me that my first link was outdated, and in 2.6 kernel > ingress are before marking (so, there's no way to do what i need). > > > So seems that the only way to filter ingress are u32 or ifb, > redirecting traffic to the egress of another interface. > > > A question: with an 'egress redirect' i can redirect traffic, but > ''where'' they come back? > A bit deeper: if i have multiple interfaces, i have to define an ifb > for everyone, or one ifb suffices because ifb ''remeber'' the input > interface? > > As for second link above, there's a ''picture'' of traffic flow in ifb? <snip> I believe IFB returns the packet to the exact point from which it received it. For example, if I recall correctly, we often use IFB interfaces for egress filtering in VPNs environments with virtual interfaces, e.g., tun interfaces in OpenVPN, so that we do not need to write identical sets of rules for each interface. The packets are returned to the interface from which they came. I am no expert but that is my experience - John -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
