May I will write something wrong here. My understanding is that each interface have a queue to manage the traffic going through [..] but the magic maybe can be done filtering in the raw table of iptables. The raw table is the first place the packets hits entering to the box but the raw table is used for mark packets that will not be tracked by the conntrack system. While reading your post, I'm thinking about the question about the first chicken or egg. But if for you does not matter in what interfaces the packets are marked, a bridge+firewall can be a solution. Be gentle if I'm completely wrong. Jorge Dávila. On Mon, Jul 13, 2009 at 1:39 PM, Chris Bradley<cbradley@xxxxxxxxxxxxx> wrote: > Hello, I am working on a project in which I am trying to both load > balance upstream Internet connections as well as rate-limit individual > users of those connection to asymmetrical upstream/downstream rates. > > I have worked with iptables/tc/cbq for some time and the rate-limiting > is being accomplished by creating qdiscs on the inside and outside > interfaces (for simplicities sake). In the mangle table iptables is > then marking packets with the corresponding cbq ID. With only a single > upstream and downstream interface this works very well and I can > rate-limit 500-1000 users quite easily. > > The challenge I have not been able to overcome, or find much > information on how to is have multiple load-balanced (weighted) > upstream connections and still rate-limit individual users across > those connections. I have tried creating qdiscs for each interface, > however being that the CBQ IDs are related to interfaces there is not > a reliable mechanism to ensure all packets of a specific user are > marked and thus rate-limited appropriately. > > Any help or suggestions would be appreciated. Ultimately I would like > a way to mark and track packets independent of the upstream (or > downstream) routing interface. I am open to any/all suggestions. I am > currently working with the latest Debian stable (latest stable kernel, > iptables, etc.) and I have complete control over the OS and > configuration so if there is a different way to skin this cat please > let me know. (Sorry to all the cat lovers out there.) > > Cheers, > > Chris > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Jorge Isaac Dávila López +505 8430 5462 jorgedavilalopez@xxxxxxxxx --- Esta tierra es Linux. En las noches calladas puede escucharse a las máquinas Windows re-iniciándose... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
