On Thu, 2012-04-19 at 18:30 +0200, Marco Gaiarin wrote: > Ok, now that i'm on business with fwmark, i'm testing ifb, as a way to > do ingress policying based on fwmarks. > > I've defined a redirect: > > ifconfig eth2 up > tc filter add dev eth2 parent ffff: protocol ip prio 50 \ > u32 match ip src 0.0.0.0/0 flowid :1 \ > action mirred egress redirect dev ifb2 > > that seems to work: > > tc filter show dev eth2 parent ffff: > filter protocol ip pref 50 u32 > filter protocol ip pref 50 u32 fh 800: ht divisor 1 > filter protocol ip pref 50 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1 > match 00000000/00000000 at 12 > action order 1: mirred (Egress Redirect to device ifb2) stolen > index 2 ref 1 bind 1 > > Note that my default FORWARD chain, as must be, DROP traffic, so i > supposed that after redirecting to ifb2, all traffic will stop. > Surprisingly, all work as before. > > > After some fiddling, seems that in ifb interfaces there's no netfliter > at all, eg i've explicitly DROPped traffic on INPUT, OUTPUT and FORWARD > chains for ifb+, and traffic still flow. > > Not surprisingly, there's no fwmark, eg traffic flow in ifb2 but > there's no mark (even if i restore them on OUTPUT and FORWARD chains), > so no mark match: > > tc -s -d qdisc show dev ifb2 > qdisc htb 1: root refcnt 2 r2q 10 default 0 direct_packets_stat 29643 ver 3.17 > Sent 26622714 bytes 29643 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 10: parent 1:10 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 20: parent 1:20 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 30: parent 1:30 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 40: parent 1:40 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 50: parent 1:50 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 80: parent 1:80 limit 127p quantum 1514b flows 127/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc ingress ffff: parent ffff:fff1 ---------------- > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > > So seems to me that experiment 2 (using ifb) fail, and still seems that > the only way to do ingress policying are with u32 filters. > > > Last chance imq. Someone just know if in imq i can use netfilter, so i > can save some test-time? > > > Thanks. > > > PS: i've done a 'ifconfig ifb2 down' while still redirecting, and > flow stop, so i'm sure i've not maked (too many) mistakes... > I found the same thing. The IFB interface seems to get the packets before they've passed through the netfilter hooks thus I had to do all my packet identification with tc filters - John -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
