From mboxrd@z Thu Jan 1 00:00:00 1970 From: GGounot Date: Thu, 25 Sep 2014 16:44:32 +0000 Subject: Re: Ingress filtering Message-Id: <54244670.6090006@laposte.net> List-Id: References: <20140925121920.5bd32939@lobo.lobo.dom> In-Reply-To: <20140925121920.5bd32939@lobo.lobo.dom> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Le 25/09/2014 12:19, marco@nucleus.it a =E9crit : > Hi to all, > i read some stuff about ingress filtering with ifb module. > > According to someone it is impossible but for someone not. > > possible: > https://wiki.archlinux.org/index.php/Advanced_traffic_control > > no possible: > http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg15545.html > http://www.spinics.net/lists/netfilter/msg53729.html > http://www.spinics.net/lists/lartc/msg22358.html > > It is possible to use connection mark (ctmark) or packet mark (nfmark) > with the tc filter on ifb or the only possibility is with the patch > provided by these links ? > https://aur.archlinux.org/packages/act_connmark/ > https://aur.archlinux.org/packages/iproute2-connmark/ > > or im missing something ? > > Thanks > -- > To unsubscribe from this list: send the line "unsubscribe lartc" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Hi Marco. Ingress shaping is possible : #!/bin/bash ## Paths and definitions tc=3D/sbin/tc EHT=3Deth0 # Change for your device! IFB=3Difb0 # Use a unique ifb per rate limiter! modprobe ifb modprobe act_mirred # Clear old queuing disciplines (qdisc) on the interfaces $tc qdisc del dev $EHT root 2>/dev/null $tc qdisc del dev $EHT ingress 2>/dev/null $tc qdisc del dev $IFB root 2>/dev/null $tc qdisc del dev $IFB ingress 2>/dev/null # Create ingress on external interface $tc qdisc add dev $EHT handle ffff: ingress ifconfig $IFB up # if the interace is not up bad things happen # Forward all ingress traffic to the IFB device $tc filter add dev $EHT parent ffff: protocol all u32 match u32 0 0=20 action mirred egress redirect dev $IFB # (Example !) Create an EGRESS filter on the IFB device $tc qdisc add dev $IFB root handle 1: htb default 0 $tc class add dev $ETH parent 1:0 classid 1:1 htb rate 1000kbps ceil=20 1000kbps prio 0 $tc class add dev $ETH parent 1:1 classid 1:300 htb rate 300kbps ceil=20 300kbps prio 0 $tc qdisc add dev $ETH parent 1:300 handle 300: sfq perturb 10 $tc filter add dev $ETH parent 1:0 prio 0 protocol ip handle 300 fw=20 flowid 1:300 iptables -t mangle -I FORWARD -i eth0 -j MARK --set-mark 300 (not tested)