On Jun 12, 2013, at 7:18 PM, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote: > On Thu, 2013-06-13 at 00:05 +0100, Andrew Beverley wrote: >> On Wed, 2013-06-12 at 18:04 -0400, David Shaw wrote: >> [...] >>> Unfortunately, this doesn't work. While the restore-mark/save-mark >>> stuff works great, and the incoming packets do have the correct mark as >>> set by the process originating the connection, and the ifb stuff works >>> great in that it forwards the incoming data to the ifb device, I can't >>> connect the two. It seems the mirred egress grabs the incoming packets >>> before they go through iptables and so their marks are never restored, >>> and thus the only data I see on the ifb device is not marked. >> >> That's your problem I'm afraid. IFB grabs the packets before they hit >> the netfilter stack, so they won't have any marks applied. Your only >> options are: >> >> 1. Do the shaping on the opposite outbound interface (so if you're >> forwarding packets from ppp0 to eth0 and are trying to do the ingress >> shaping on ppp0, then do it on the egress of eth0 instead). This only >> works if you are actually forwarding packets. >> >> 2. Use IMQ, which unfortunately is not part of the vanilla kernel. >> > <snip> > We faced the same issue and found that we could do it with the IFB > interface but needed to do the classification with tc filters. Although > it took quite a bit of getting use to, we were able to produce some very > sophisticated results similar to what we would normally do with iptables > including chaining filters. Interesting. I can see how I could use tc filters to match on various things, but is there some way (aside from using marks, of course) to have a filter match on the return packets from a particular connection? It seems I would need connection tracking for that, and would run into the same problem with marks. David -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
