Ok, now that i'm on business with fwmark, i'm testing ifb, as a way to do ingress policying based on fwmarks. I've defined a redirect: ifconfig eth2 up tc filter add dev eth2 parent ffff: protocol ip prio 50 \ u32 match ip src 0.0.0.0/0 flowid :1 \ action mirred egress redirect dev ifb2 that seems to work: tc filter show dev eth2 parent ffff: filter protocol ip pref 50 u32 filter protocol ip pref 50 u32 fh 800: ht divisor 1 filter protocol ip pref 50 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1 match 00000000/00000000 at 12 action order 1: mirred (Egress Redirect to device ifb2) stolen index 2 ref 1 bind 1 Note that my default FORWARD chain, as must be, DROP traffic, so i supposed that after redirecting to ifb2, all traffic will stop. Surprisingly, all work as before. After some fiddling, seems that in ifb interfaces there's no netfliter at all, eg i've explicitly DROPped traffic on INPUT, OUTPUT and FORWARD chains for ifb+, and traffic still flow. Not surprisingly, there's no fwmark, eg traffic flow in ifb2 but there's no mark (even if i restore them on OUTPUT and FORWARD chains), so no mark match: tc -s -d qdisc show dev ifb2 qdisc htb 1: root refcnt 2 r2q 10 default 0 direct_packets_stat 29643 ver 3.17 Sent 26622714 bytes 29643 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:10 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 20: parent 1:20 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 30: parent 1:30 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 40: parent 1:40 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 50: parent 1:50 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 80: parent 1:80 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: parent ffff:fff1 ---------------- Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 So seems to me that experiment 2 (using ifb) fail, and still seems that the only way to do ingress policying are with u32 filters. Last chance imq. Someone just know if in imq i can use netfilter, so i can save some test-time? Thanks. PS: i've done a 'ifconfig ifb2 down' while still redirecting, and flow stop, so i'm sure i've not maked (too many) mistakes... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
