Resent because lartc@xxxxxxxxxxxxxxx wasn't in the ccs
Marco Gaiarin wrote:
Mandi! Andy Furniss
In chel dì si favelave...
That page is old, it used to work like that on 2.4 kernels, but now
ingress gets packets before iptables.
Ah, oh, ops... i knew that was old, but not so much...
Googling around in these days i've found some old posts, eg:
http://mailman.ds9a.nl/pipermail/lartc/2005q2/015400.html
where seems that the trouble came from CONFIG_NET_CLS_IND and
CONFIG_NET_CLS_ACT kernel compile time options. But probably also that
aree old.
Probably won't work anymore - but then I haven't tested. The old policer
referred to in that post has gone.
Anyway, subsequent question arise: how can i policy ingress traffic?
The only way are u32 filters and imq?
Maybe u32 and ifb rather than imq or just u32 on ingress.
If you really need iptables on ingress then I suppose imq is the only
way - but then you may be able to think of a way to do what you want
differently.
The only time you should need imq is if you really need conntrack/nat
info to shape the inbound traffic where some is destined for the the
shaping box and some is forwarded, and there is no other way you can
tell which is which.
As for gred, I've never really used it properly - though one thing I do
know is that the numbering changed so the opalsoft examples won't work
now unless you take one from the defaults.
There's some working examples that use fwmark and ingress policing?
You can use u32 on ingress to set fwmark - well you could once, these
docs are also quite old, but are in current iproute2 git.
https://github.com/shemminger/iproute2/tree/master/doc/actions
[and welcome back lartc!]
Yea it's good it's back. Personally I'm quite rusty with the subject
now, I haven't really been following developments properly since the old
list died.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
