[LARTC] Iptables matching on IFB

[LARTC] Iptables matching on IFB

[FB]

Hey folks,

I stumbled across the Mastershaper project
( http://www.mastershaper.org/ ) but I have a little problem:
I wanted to shape the traffic coming from the router itself aswell as
coming from the LAN behind the router, for that task I need IMQ, but
with IMQ iptables-(layer7)-matching is not possible. Now I've talked
with the programmer and he said the following:

>The problem is not only MasterShaper - it's simply that iptables can't
>match on IMQ interfaces directly. The only way would be to MARK packets
>before and then match with tc-filter on the IMQ interfaces. But this
>means that two subsystems handle packets and I think this will cause
>much more overhead.
>
>Perhaps you can try if iptables is able to match on IFB interfaces
>which are already included since some kernel versions and let me know.
>If it works I will try to implement this in MS.
>
>Cheers,
>Unki

So, does anyone of you know if iptables matching is possible on an IFB
interface? I would try it myself but sadly I can't experiment with my
router currently :-(

Thanks in advance for any help
-FB
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Iptables matching on IFB

[Marek Kierdelewicz]

> Hey folks,

Hi!

> So, does anyone of you know if iptables matching is possible on an
> IFB interface? I would try it myself but sadly I can't experiment
> with my router currently :-(

As far as I know IFB doesn't have any netfilter hooks and you can't
use it in netfilter. You can however match incomming traffic using tc
(u32 filter) and use actions (available in 2.6 kernels) to
mark(fwmark)/police/redirect traffic.

Hope that helps.

pozdrawiam
--
Marek Kierdelewicz
Kierownik Działu Systemów Sieciowych, KoBa
Network Department Manager, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: admin@koba.pl
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Iptables matching on IFB

[Andy Furniss]

FB wrote:
> Hey folks,
> 
> I stumbled across the Mastershaper project
> ( http://www.mastershaper.org/ ) but I have a little problem:
> I wanted to shape the traffic coming from the router

If you really mean coming from rather than coming into then you don't 
need ifb or imq.

  itself aswell as
> coming from the LAN behind the router, for that task I need IMQ, but
> with IMQ iptables-(layer7)-matching is not possible. Now I've talked
> with the programmer and he said the following:
> 
> 
>>The problem is not only MasterShaper - it's simply that iptables can't
>>match on IMQ interfaces directly. The only way would be to MARK packets
>>before and then match with tc-filter on the IMQ interfaces. But this
>>means that two subsystems handle packets and I think this will cause
>>much more overhead.
>>
>>Perhaps you can try if iptables is able to match on IFB interfaces
>>which are already included since some kernel versions and let me know.
>>If it works I will try to implement this in MS.

I wouldn't be too bothered about doing it this way with imq - if you 
really need to.

>>
>>Cheers,
>>Unki
> 
> 
> So, does anyone of you know if iptables matching is possible on an IFB
> interface? I would try it myself but sadly I can't experiment with my
> router currently :-(

ifb is before iptables on ingress and after on egress, so you can only 
use it with iptables on egress.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc