On Thu, 2013-06-13 at 00:05 +0100, Andrew Beverley wrote: > On Wed, 2013-06-12 at 18:04 -0400, David Shaw wrote: > [...] > > Unfortunately, this doesn't work. While the restore-mark/save-mark > > stuff works great, and the incoming packets do have the correct mark as > > set by the process originating the connection, and the ifb stuff works > > great in that it forwards the incoming data to the ifb device, I can't > > connect the two. It seems the mirred egress grabs the incoming packets > > before they go through iptables and so their marks are never restored, > > and thus the only data I see on the ifb device is not marked. > > That's your problem I'm afraid. IFB grabs the packets before they hit > the netfilter stack, so they won't have any marks applied. Your only > options are: > > 1. Do the shaping on the opposite outbound interface (so if you're > forwarding packets from ppp0 to eth0 and are trying to do the ingress > shaping on ppp0, then do it on the egress of eth0 instead). This only > works if you are actually forwarding packets. > > 2. Use IMQ, which unfortunately is not part of the vanilla kernel. > <snip> We faced the same issue and found that we could do it with the IFB interface but needed to do the classification with tc filters. Although it took quite a bit of getting use to, we were able to produce some very sophisticated results similar to what we would normally do with iptables including chaining filters. -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
