Re: Ingress qdisc via fwmark

[Chris Elston <celston@katalix.com>]

Hi Andy,

Sorry for the much delayed reply. I just wanted to say thanks for the
summary. 

I finally managed to get things working using option 4. I found that
using U32 to do anything but quite simple packet inspection quickly
becomes pretty difficult to manage :(

Cheers,

Chris.

On Tue, 2013-11-12 at 18:31 +0000, Andrew Beverley wrote:
> On Tue, 2013-11-12 at 14:29 +0000, Chris Elston wrote:
> > Hello,
> > 
> > I'm having a little trouble getting ingress policing working, filtering
> > based on an iptables fwmark.
> 
> As you allude to, this is not possible with a vanilla kernel (unless
> it's changed recently).
> 
> > Also, this diagram suggests that queueing to the ingress qdisc happens
> > before classification takes place:
> > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
> 
> Yes, the ingress qdisc will see the packets before they have hit
> netfilter.
> 
> > I'm hoping that someone on the list can let me know whether this is
> > actually possible with contemporary kernels, and if so, where I'm going
> > wrong.
> 
> The only options I know of are:
> 
> 1. Use IMQ (not in the vanilla kernel).
> 
> 2. If you're forwarding packets, then use an egress qdisc on the output
> interface.
> 
> 3. If you want to DROP packets, then you might be able to do so once the
> client sends reply packets, and therefore catch them using egress on
> their way back out.
> 
> 4. Use a U32 filter on ingress. You may find the discussion here useful:
> 
> http://www.spinics.net/lists/lartc/msg22354.html
> 
> Andy
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe lartc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html