On Fri, 2013-08-23 at 17:30 +0800, Horace wrote: > IFB sits before netfilter, which provides less flexibility and means > that you can't mark packets to classify your traffic for shaping. It is, > however, in the vanilla kernel. Disadvantage: less flexibility. > > Thanks. What exactly need to be marked with iptables if you can simply > use tc u32 filter instead? Just for stateful marking, i.e. > NEW/ESTABLISHED? Stateful marking is one advantage, but there are many more reasons, as you have access to the whole range of iptables matching rules. > BTW, I've tested with IFB ingress shaping, the problem still persists. > I can see the tokens going negative even when the rate does not reach > the limit. We'll need some more information in order to help. Please post your exact current set up and rules, and if possible narrow it down to a particular instance that's showing the problem. Andy -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
