Re: Mark traffic on one machine, match on another machine?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks a lot for your help, how can I evaluate --restore-mark before I classify and shape response traffic from the origin server? 

I think you mean something like:

  # Copy ctmart to nfmark (e.g. 1, 2)
  iptables -A PREROUTING -t mangle -i eth0.2 -j CONNMARK --restore-mark

  # Classify by nfmark (e.g. 1, 2), send unmarked traffic to class 2:2
tc filter add dev eth0.2 parent ffff: protocol ip handle 1 fw flowid 2:1 action mirred egress redirect dev ifb0 tc filter add dev eth0.2 parent ffff: protocol ip handle 2 fw flowid 2:3 action mirred egress redirect dev ifb0 tc filter add dev eth0.2 parent ffff: protocol ip u32 match u32 0 0 flowid 2:2 action mirred egress redirect dev ifb0 

Just how can I get --restore-mark to evaluate before tc filter?

Another way I can imagine is with the CLASSIFY target:

  # Send unmarked traffic to class 2:2
iptables -A PREROUTING -t mangle -i eth0.2 -m connmark --mark 1 -j CLASSIFY 2:1 iptables -A PREROUTING -t mangle -i eth0.2 -m connmark --mark 2 -j CLASSIFY 2:3 
  iptables -A PREROUTING -t mangle -i eth0.2 -j CLASSIFY 2:2
But I have the same challenge, how can I evaluate the CLASSIFY target before I shape traffic?
Or is there another way to classify and shape response traffic from the origin server based on the TOS/DSCP field of the request? 

On 03/12/12 03:52 AM, Eliezer Croitoru wrote:

You use iptables mark + restore mark based on connection tracking.
you can mark the TOS on the outgoing postrouting table.
you can take a look at the iptabes man pages:
http://ipset.netfilter.org/iptables.man.html
which has --restore-mark  exaple.

Eliezer

On 12/3/2012 10:43 AM, Jack Bates wrote:

I can imagine a couple ways of classifying traffic from our proxy server
based on the TOS/DSCP field, and also how to set the connection mark
based on this field. But how do I classify and shape response traffic
from the origin server based on the connection mark?

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux