Hello, I want to shape traffic both in and out of a Linux box. Currently, I have various processes and each uses SO_MARK to set a mark on their packets, a different mark for each class of process. Then I have a tc filter that looks for those marks and sends it on to an appropriate qdisc where the shaping happens. This works great, and I can shape on a per-mark (in practice, per process, or per group of processes) basis, but of course all this only applies to outbound data. What I'd like to do is extend this basic idea for inbound data. My initial thought was to use tc action mirred egress to mirror the data onto an ifb device, and then set up the same sort of shaping as above (a different qdisc for each mark), but on the ifb device. To get the marks on the incoming data, I could do something like: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark This way the packets coming back from the other size would have the same mark I was setting on the outbound packet that initiated the connection. Unfortunately, this doesn't work. While the restore-mark/save-mark stuff works great, and the incoming packets do have the correct mark as set by the process originating the connection, and the ifb stuff works great in that it forwards the incoming data to the ifb device, I can't connect the two. It seems the mirred egress grabs the incoming packets before they go through iptables and so their marks are never restored, and thus the only data I see on the ifb device is not marked. So here's my question: does anyone have any suggestions on how I can accomplish this? In an ideal world I could keep the basic "processes mark outgoing packets to indicate how much shaping the the outgoing and response packets should get" concept, but if there is a better way to accomplish the goal, I'm all for it. Thanks for any help, David -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
