Hi All, With latest addition of storing skbinfo (mainly skbprio) in ipset and then applying it later to the traffic as and when it passes the iptables ruleset, it becomes relatively easy and simple to do traffic shaping. IMHO what one of the feature set which we can add is to have an ipset of only fwmarks i.e. fw-marks will be hashed and stored in the ipset and then later using these marks we can instantly (in single look up) set traffic class. Motivation for this is the fact that just reading the mark can signify which fw rule it belongs to (no matter how complex was that firewall rule). So if we do traffic shaping based on marks, it becomes straightforward traffic shaping for that fw rule. Now as no of rules increase, this lookup will also increase linearly and more-importantly, we cant take advantage of any statefulness over here, i.e. if there are 100 rules then everytime my packet will have to go down 100 lines, get it matched, get its skbprio value and then move forward. however, if we such an ipset as I am mentioning, so all these skbprio settings and all can always be done in single shot, say we make something like ipset -N MARK-TC-MAP hash:mark skbinfo iptables -t mangle -A POSTROUTING -j SET --map-set MARK-TC-MAP src --map-prio Whats your view on this? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
