On Tue, 2012-03-27 at 18:16 +0200, Marco Gaiarin wrote: > > You can use u32 on ingress to set fwmark - well you could once, > > these docs are also quite old, but are in current iproute2 git. > > I know that. But i set marks using some advanced iptables feature, for > example connmark_sip to match VoIP traffic, and i use also connmark > save/connmark restore to prevent the re-marking of all the traffic. > > For that, i'm looking for a way to policy (for ingress, it will suffice > to drop) traffic based on connmarks. Then I think you're stuck with IMQ. Or, if you're forwarding traffic, you do it on the egress interface (that's what I do). > 1) as stated in previous email, i'm not clear if i have to create an > ifb interface for every phisical one, or i can create different > interfaces. I can't remember off the top of my head, but I thought you could direct traffic from any interface into an IFB interface, and it will return to the original interface. I may be wrong though. Try it! > Ok, probably traffic come back to the correct interface, but police > rule apply, i think, to the sum of traffic from all interfaces... Yes, because you'll attach the police rule to that single IFB interface, so all it sees is one interface. That's the point of IFB. > 2) the marks that i set inside the ifb interfaces, will survive to the > outher one? I would have thought they *would* survive. Again, why not just try? > this post: > http://mailman.ds9a.nl/pipermail/lartc/2006q4/019720.html > say me no, and seems also reasonable. Reading that post, it looks like the author has fallen into the problem you have above. I.e. if you use IFB on ingress, then you don't get any access to MARK information, as the traffic hasn't hit iptables yet. Andy -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html