On Tue, 2012-03-27 at 18:16 +0200, Marco Gaiarin wrote: <snip> > > You can use u32 on ingress to set fwmark - well you could once, > > these docs are also quite old, but are in current iproute2 git. > > I know that. But i set marks using some advanced iptables feature, for > example connmark_sip to match VoIP traffic, and i use also connmark > save/connmark restore to prevent the re-marking of all the traffic. Unless I've missed something, if you want to shape on ingress, you have no choice but to mark each packet :( Conntrack is not functional at that point I believe. > > For that, i'm looking for a way to policy (for ingress, it will suffice > to drop) traffic based on connmarks. If you are only policing, I do not believe you need an IFB interface. The policing policy will be set on the tc filter. I think you will only need IFB interfaces if you want to shape or want the same rules to apply to multiple interfaces. <snip> > 2) the marks that i set inside the ifb interfaces, will survive to the > outher one? this post: > http://mailman.ds9a.nl/pipermail/lartc/2006q4/019720.html > say me no, and seems also reasonable. > I do recall having a problem with this. I don't remember the details but it may have been than any new connmarks from iptables overwrote the mark given on the ingress filter. I'm really not sure about that - John -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
