From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Date: Thu, 03 Dec 2015 00:24:58 +0000 Subject: Re: Problem with cls_flow nfct-* keys Message-Id: <565F8BDA.9040405@gmail.com> List-Id: References: <3419281448878074@web15j.yandex.ru> In-Reply-To: <3419281448878074@web15j.yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: lartc@vger.kernel.org Гаврилов Игорь wrote: >> I am not sure if this should work or not. > In all examples this worked, But I can't test it on old kenels - I > use 3.10. > >> If there is no/low incoming traffic to this box then you could >> shape on egress. > Unfortunately this is not an option. The single case, where IFB > could be a problem, and you can't shape on egress interface is when > you have traffic to/from router. There is IPSec tunnels from WAN > interface, and I need to share bandwidth dynamically between regular > internet traffic and IPSec. > >> Generally I would avoid redirecting protocol all then restricting >> htb default - you may end up dropping arp. > I have dedicated class for ARP. > Ok, I can't easily test old kernels either. I did a quick test on my desktop with a recent git kernel and it doesn't work for me either. The same test (using ifb) does work on egress. Adding a printk shows a call to nf_ct_get(skb, &ctinfo) returns NULL which makes flow fallback to dst.