Google
  Web www.spinics.net

Re: fwmark and ingress

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 2012-03-27 at 18:16 +0200, Marco Gaiarin wrote:
<snip>
> > You can use u32 on ingress to set fwmark - well you could once,
> > these docs are also quite old, but are in current iproute2 git.
> 
> I know that. But i set marks using some advanced iptables feature, for
> example connmark_sip to match VoIP traffic, and i use also connmark
> save/connmark restore to prevent the re-marking of all the traffic.
Unless I've missed something, if you want to shape on ingress, you have
no choice but to mark each packet :(  Conntrack is not functional at
that point I believe.
> 
> For that, i'm looking for a way to policy (for ingress, it will suffice
> to drop) traffic based on connmarks.
If you are only policing, I do not believe you need an IFB interface.
The policing policy will be set on the tc filter.  I think you will only
need IFB interfaces if you want to shape or want the same rules to apply
to multiple interfaces.
<snip>
> 2) the marks that i set inside the ifb interfaces, will survive to the
>  outher one? this post:
> 	http://mailman.ds9a.nl/pipermail/lartc/2006q4/019720.html
>  say me no, and seems also reasonable.
> 
I do recall having a problem with this.  I don't remember the details
but it may have been than any new connmarks from iptables overwrote the
mark given on the ingress filter.  I'm really not sure about that - John

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux