From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Furniss <andy.furniss@dsl.pipex.com>
Date: Wed, 01 Jun 2005 21:31:36 +0000
Subject: Re: [LARTC] filter ingress policy based on nfmark
Message-Id: <429E2938.4080804@dsl.pipex.com>
List-Id: <lartc.vger.kernel.org>
References: <200506011156.13278.mv-lists@net-surf.net>
In-Reply-To: <200506011156.13278.mv-lists@net-surf.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org

Martin Vassilev wrote:
> Hi all.
> Since I move on to 2.6 kernel , filter ingress policy based on nfmark won=
=B4t=20
> work.
> Sorry for my english.
>=20
> Simple example:
>=20
> iptables  -t mangle -I PREROUTING -j MARK --set-mark 1
>=20
> ${QDISC_ADD} handle ffff: ingress
> ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
> police rate 128Kbit burst 10k drop flowid 2:11
>=20
> # tc -s -d qdisc ls dev eth0
> qdisc ingress ffff: ----------------
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>=20
> # iptables -t mangle -L -n -v
> pkts bytes target     prot opt in     out     source               destin=
ation
>  1362  293K MARK       all  --  *      *       0.0.0.0/0            0.0.0=
.0/0          =20
> MARK set 0x1
>=20
> No problems at 2.4 kernel.
>=20

On 2.6 whether policer sees marks or not depends on your kernel config.

If you don't select classifier actions then you get the 2.4 behavior.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc