Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
> # nft list table netdev traffic-control
> table netdev traffic-control {
> chain INGRESS {
> type filter hook ingress device "bond0" priority filter; policy accept;
> limit rate over 10 kbytes/second counter packets 49 bytes 70952 drop
> }
> }
>
> Can cgroup classes work with the ingress hook of the netdev table?
No. The netcls id is reachable only via the socket (skb->sk).
For incoming packets, the earliest place where this is set/made
available is the ipv4/ipv6 stack, if the protocol supports 'early
demux'. Then, inet prerouting will work.
Note however that this rate limiting via 'limit' (ingress policing)
doesn't work when the protocol involved doesn't see packet loss as
a sign to 'slow down' (datacenter tcp for example).
I don't have a better suggestion though.
