2012/12/14, Andrew Collins <bsderandrew@xxxxxxxxx>: >> The traffic will be ingress on eth0.2, but it will be treated as >> egress on ifb0 device. >> Using ifb is a common scheme to overcome the above-mentioned limitation. > > From the point of view of queueing/TC this is true, however it will > not pass through the neftilter hooks while going through the IFB, so > iptables/conntrack will still have no chance to see it until after > it's already egressed the qdisc attached to the IFB. > To my shame, you are right. The IFB device has no netfilter hooks, so we can not use iptables to mark traffic on it. The external incoming traffic should be shaped on the internal outgoing interface. -- Best regards Anatoly Muliarski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
