[LARTC] filter ingress policy based on nfmark

[LARTC] filter ingress policy based on nfmark

[Martin Vassilev]

Hi all.
Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t 
work.
Sorry for my english.

Simple example:

iptables  -t mangle -I PREROUTING -j MARK --set-mark 1

${QDISC_ADD} handle ffff: ingress
${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
police rate 128Kbit burst 10k drop flowid 2:11

# tc -s -d qdisc ls dev eth0
qdisc ingress ffff: ----------------
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

# iptables -t mangle -L -n -v
pkts bytes target     prot opt in     out     source               destination
 1362  293K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x1

No problems at 2.4 kernel.

-- 
Best Regards,
Martin Vassilev
NetSurf.net Ltd.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] filter ingress policy based on nfmark

[Andy Furniss]

Martin Vassilev wrote:
> Hi all.
> Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t 
> work.
> Sorry for my english.
> 
> Simple example:
> 
> iptables  -t mangle -I PREROUTING -j MARK --set-mark 1
> 
> ${QDISC_ADD} handle ffff: ingress
> ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
> police rate 128Kbit burst 10k drop flowid 2:11
> 
> # tc -s -d qdisc ls dev eth0
> qdisc ingress ffff: ----------------
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> 
> # iptables -t mangle -L -n -v
> pkts bytes target     prot opt in     out     source               destination
>  1362  293K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
> MARK set 0x1
> 
> No problems at 2.4 kernel.
> 

On 2.6 whether policer sees marks or not depends on your kernel config.

If you don't select classifier actions then you get the 2.4 behavior.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] filter ingress policy based on nfmark

[Martin Vassilev]

On Thursday 02 June 2005 00:31, you wrote:

>
> On 2.6 whether policer sees marks or not depends on your kernel config.
>
> If you don't select classifier actions then you get the 2.4 behavior.
>
> Andy.

Many thanks.

-- 
Best Regards,
Martin Vassilev
NetSurf.net Ltd.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] filter ingress policy based on nfmark

[Andy Furniss]

Martin Vassilev wrote:
> On Thursday 02 June 2005 00:31, you wrote:
> 
> 
>>On 2.6 whether policer sees marks or not depends on your kernel config.
>>
>>If you don't select classifier actions then you get the 2.4 behavior.
>>
>>Andy.
> 
> 
> Many thanks.
> 

Oops it's called packet action in the menu not classifier actions its 
CONFIG_NET_CLS_ACT which when deselected should allow you to select 
traffic policing rather than policing actions.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc