On Sun, 10 Jun 2012, Florian Westphal wrote: > Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote: > [ CC'd Jozsef ] > > > To build my traffic shaping policies, I currently use tc statements like: > > > > tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32 match ip > > src 10.1.1.1/24 match ip dst 10.2.1.1/24 match ip protocol 6 ... > > > > This, although quick and "efficient" causes a great deal of > > inconvenience for me, as when combined with the use of ipsets I have > > to synchronise the (possible) contents of these sets with the above > > tc statements in order to build my traffic shaping policies. So, my > > question to the TC devs/contributors is very simple: would it be > > possible to bring ipset into tc? > > > In other words, to have tc ipset matching on src, destination, > > protocol etc, instead of specifying hard-coded values like > > "10.1.1.1/24", "10.2.1.1/24" and "protocol 6" in the example I used > > above. > > > > If that is not possible, what are the obstacles in implementing > > this? If it is indeed possible to implement this, are there any > > plans to do so, has the implementation already started (do you need > > any volunteers :-) )? Many thanks in advance! > > If you're really desperate you could try > http://git.breakpoint.cc/gitweb/?p=fw/nf-next.git;a=shortlog;h=refs/heads/em_ipset_3 > userspace counterpart at: > http://git.breakpoint.cc/gitweb/?p=fw/iproute2.git;a=shortlog;h=refs/heads/em_ipset_3 > > But beware. This code is more than 6 months old; I never got around to > actually test it on a live system. Its also bit of a hack since > ip_set_test() assumes its called from netfilter (the ematch passes in a fake > xt_action_param ...) That's the usual way, iptables targets are also called with a fake xt_action_param in act_ipt.c. > I've rebased it on the current tree and it should at least compile with recent kernels. > > Its an ematch, so something like > tc filter add dev ifb0 protocol ip parent be:0 prio 10 basic match \ > ipset'(foo src)' and ipset'(bar dst)'... > > might work for you (or ipset'(foo src,dst)' if you have src/dst pairs in > single set). Thanks, Florian. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
