On Tue, 2013-11-12 at 14:29 +0000, Chris Elston wrote: > Hello, > > I'm having a little trouble getting ingress policing working, filtering > based on an iptables fwmark. As you allude to, this is not possible with a vanilla kernel (unless it's changed recently). > Also, this diagram suggests that queueing to the ingress qdisc happens > before classification takes place: > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg Yes, the ingress qdisc will see the packets before they have hit netfilter. > I'm hoping that someone on the list can let me know whether this is > actually possible with contemporary kernels, and if so, where I'm going > wrong. The only options I know of are: 1. Use IMQ (not in the vanilla kernel). 2. If you're forwarding packets, then use an egress qdisc on the output interface. 3. If you want to DROP packets, then you might be able to do so once the client sends reply packets, and therefore catch them using egress on their way back out. 4. Use a U32 filter on ingress. You may find the discussion here useful: http://www.spinics.net/lists/lartc/msg22354.html Andy -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
