On Sun, 2012-06-17 at 23:52 +0100, Mr Dash Four wrote: > >> Also, I completely forgot ipsets which have/store mac addresses. I > >> haven't tested those yet, but I suspect I am going to run into the > >> same problem - eth0 vs ifb0. As far as I know ifb0 doesn't have mac > >> address, in which case it makes more sense to develop the match > >> based on real interfaces, don't you think? > > > > Its a random mac address. > > What about changing this so that the original interface is the 'source' > > interface and ifb the 'dest' interface? > > > > Then you could use > > basic match ipset\(h_test-hosts src,dst\) > > to ask for ifb0 matching and > > basic match ipset\(h_test-hosts src,src,dst\) > > for ethX match. > I just realised that bitmap:ip,mac type of set (it is the only set which uses mac addresses) matches mac *only* on source and since ifb0 is only used on traffic coming in, then it is a mute point (I still have to test this though) - the above won't be needed, at least not for ip,mac address matching. <snip> Does ipset even work on ifb interfaces? I thought those processed traffic before it even hit iptables processing. We do not yet use ipset (very much want to but have not had the time to explore it) but we do use ifb interfaces for traffic other than ingress shaping, e.g., when applying the same shaping rules to multiple physical interfaces - John -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
