On Jun 12, 2013, at 7:05 PM, Andrew Beverley <andy@xxxxxxxxxxx> wrote: > On Wed, 2013-06-12 at 18:04 -0400, David Shaw wrote: > [...] >> Unfortunately, this doesn't work. While the restore-mark/save-mark >> stuff works great, and the incoming packets do have the correct mark as >> set by the process originating the connection, and the ifb stuff works >> great in that it forwards the incoming data to the ifb device, I can't >> connect the two. It seems the mirred egress grabs the incoming packets >> before they go through iptables and so their marks are never restored, >> and thus the only data I see on the ifb device is not marked. > > That's your problem I'm afraid. IFB grabs the packets before they hit > the netfilter stack, so they won't have any marks applied. Your only > options are: > > 1. Do the shaping on the opposite outbound interface (so if you're > forwarding packets from ppp0 to eth0 and are trying to do the ingress > shaping on ppp0, then do it on the egress of eth0 instead). This only > works if you are actually forwarding packets. > > 2. Use IMQ, which unfortunately is not part of the vanilla kernel. This is what I was afraid of. Unfortunately I'm not forwarding packets, so I'm wondering if I might be better off marking the packets in netfilter and then using tc with a policing filter to police the marked packets. It wouldn't be as flexible as the IFB solution, but would I be able to match on the marked packets that way? David -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
