Hi Andy, Sorry for the much delayed reply. I just wanted to say thanks for the summary. I finally managed to get things working using option 4. I found that using U32 to do anything but quite simple packet inspection quickly becomes pretty difficult to manage :( Cheers, Chris. On Tue, 2013-11-12 at 18:31 +0000, Andrew Beverley wrote: > On Tue, 2013-11-12 at 14:29 +0000, Chris Elston wrote: > > Hello, > > > > I'm having a little trouble getting ingress policing working, filtering > > based on an iptables fwmark. > > As you allude to, this is not possible with a vanilla kernel (unless > it's changed recently). > > > Also, this diagram suggests that queueing to the ingress qdisc happens > > before classification takes place: > > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > Yes, the ingress qdisc will see the packets before they have hit > netfilter. > > > I'm hoping that someone on the list can let me know whether this is > > actually possible with contemporary kernels, and if so, where I'm going > > wrong. > > The only options I know of are: > > 1. Use IMQ (not in the vanilla kernel). > > 2. If you're forwarding packets, then use an egress qdisc on the output > interface. > > 3. If you want to DROP packets, then you might be able to do so once the > client sends reply packets, and therefore catch them using egress on > their way back out. > > 4. Use a U32 filter on ingress. You may find the discussion here useful: > > http://www.spinics.net/lists/lartc/msg22354.html > > Andy > > > -- > To unsubscribe from this list: send the line "unsubscribe lartc" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
