Re: fwmark and ingress

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2012-03-26 at 12:50 +0200, Marco Gaiarin wrote:
<snip>
> And sorry to the list for my arrivial... my previous messages are
> about:
> 
> 	http://opalsoft.net/qos/DS-27.htm
> 
> where seems that we can do ingress filtering based of fwmarks.
> 
> 
> Andy and Andrew reply me with:
> 
> 	http://jengelh.medozas.de/images/nf-packet-flow.png
> 
> explaining me that my first link was outdated, and in 2.6 kernel
> ingress are before marking (so, there's no way to do what i need).
> 
> 
> So seems that the only way to filter ingress are u32 or ifb,
> redirecting traffic to the egress of another interface.
> 
> 
> A question: with an 'egress redirect' i can redirect traffic, but
> ''where'' they come back?
> A bit deeper: if i have multiple interfaces, i have to define an ifb
> for everyone, or one ifb suffices because ifb ''remeber'' the input
> interface?
> 
> As for second link above, there's a ''picture'' of traffic flow in ifb?
<snip>
I believe IFB returns the packet to the exact point from which it
received it.  For example, if I recall correctly, we often use IFB
interfaces for egress filtering in VPNs environments with virtual
interfaces, e.g., tun interfaces in OpenVPN, so that we do not need to
write identical sets of rules for each interface.  The packets are
returned to the interface from which they came.  I am no expert but that
is my experience - John

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux