From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Elston Date: Wed, 27 Nov 2013 17:31:11 +0000 Subject: Re: Ingress qdisc via fwmark Message-Id: <1385573471.3573.11.camel@Desktop> List-Id: References: <1384266540.24209.41.camel@Desktop> In-Reply-To: <1384266540.24209.41.camel@Desktop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi Andy, Sorry for the much delayed reply. I just wanted to say thanks for the summary. I finally managed to get things working using option 4. I found that using U32 to do anything but quite simple packet inspection quickly becomes pretty difficult to manage :( Cheers, Chris. On Tue, 2013-11-12 at 18:31 +0000, Andrew Beverley wrote: > On Tue, 2013-11-12 at 14:29 +0000, Chris Elston wrote: > > Hello, > > > > I'm having a little trouble getting ingress policing working, filtering > > based on an iptables fwmark. > > As you allude to, this is not possible with a vanilla kernel (unless > it's changed recently). > > > Also, this diagram suggests that queueing to the ingress qdisc happens > > before classification takes place: > > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > Yes, the ingress qdisc will see the packets before they have hit > netfilter. > > > I'm hoping that someone on the list can let me know whether this is > > actually possible with contemporary kernels, and if so, where I'm going > > wrong. > > The only options I know of are: > > 1. Use IMQ (not in the vanilla kernel). > > 2. If you're forwarding packets, then use an egress qdisc on the output > interface. > > 3. If you want to DROP packets, then you might be able to do so once the > client sends reply packets, and therefore catch them using egress on > their way back out. > > 4. Use a U32 filter on ingress. You may find the discussion here useful: > > http://www.spinics.net/lists/lartc/msg22354.html > > Andy > > > -- > To unsubscribe from this list: send the line "unsubscribe lartc" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html