Hi, On 06/13, David Shaw wrote: > > On Wed, 2013-06-12 at 18:04 -0400, David Shaw wrote: > > > > That's your problem I'm afraid. IFB grabs the packets before they hit > > the netfilter stack, so they won't have any marks applied. Your only > > options are: > > > > 1. Do the shaping on the opposite outbound interface (so if you're > > forwarding packets from ppp0 to eth0 and are trying to do the ingress > > shaping on ppp0, then do it on the egress of eth0 instead). This only > > works if you are actually forwarding packets. > > > > 2. Use IMQ, which unfortunately is not part of the vanilla kernel. > > This is what I was afraid of. Unfortunately I'm not forwarding > packets, so I'm wondering if I might be better off marking the packets > in netfilter and then using tc with a policing filter to police the > marked packets. It wouldn't be as flexible as the IFB solution, but > would I be able to match on the marked packets that way? There is another way if you're willing to tinker a little bit around and running a recent (>=3.2) kernel. Create a network namespace, put the physical device and one end of a veth pair into the namespace. Either route between those two devices or just bridge them in the namespace and use brtables to hand packets to iptables for connection marking. Shape ingress on the veth in the namespace and egress on the physical device. Regards, Ben -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
