On 06/03/2019 13:15, Florian Westphal wrote: >> Can cgroup classes work with the ingress hook of the netdev table? > > No. The netcls id is reachable only via the socket (skb->sk). > For incoming packets, the earliest place where this is set/made > available is the ipv4/ipv6 stack, if the protocol supports 'early > demux'. Then, inet prerouting will work. > > Note however that this rate limiting via 'limit' (ingress policing) > doesn't work when the protocol involved doesn't see packet loss as > a sign to 'slow down' (datacenter tcp for example). > > I don't have a better suggestion though. > So basically TC + MARKs is the only option?
