From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: per socket nfmark
Date: Wed, 11 Jul 2007 09:25:05 -0500 [thread overview]
Message-ID: <4694E841.40906@riverviewtech.net> (raw)
In-Reply-To: <16.19-30594-1397228818-1184162778@seznam.cz>
On 07/11/07 09:06, tomasnull@seznam.cz wrote:
> I would like to bring up the question, if there is a way to associate
> a nfmark with a socket. It would be very helpful as it saves the
> matching against iptables rules which would have to than match the
> packet and associate the nfmark.
The closest that I can think of is the (apparently depreciated?) owner
match. At least if you could say that there was one owner to a socket,
you could then associate that with the traffic (to? /) from said socket
/ owner. However it is my understanding that the owner PoM extension
will not apply to kernels newer than 2.6.15, or there abouts.
> The same question was already posted here:
> http://lists.netfilter.org/pipermail/netfilter/2002-October/039074.html
Hum, it does not look like there was an answer to that question. With
regards to that question, one thing that comes to mind is turning your
server in to some sort of re-director of sorts. I'm not even sure that
would work. Consider using separate IP / port pairs for the different
sites, probably something other than port 80. Then put some sort of
reverse proxy on port 80 that will redirect to the back end servers on
their individual ports. This would allow you to do a source /
destination port match on tc rules and know that you are only applying
to the traffic for that given server / service. Hopefully, this rate
limiting would also apply through the proxy. Or, if you could get some
sort of association / mark / etc through the proxy you could apply your
tc rules outside of the proxy based on the association / mark / etc that
was put on the traffic before it went through the proxy. Just a
thought. I know that this is far from a solution, but it is at least
something to think about.
Grant. . . .
next prev parent reply other threads:[~2007-07-11 14:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-11 14:06 per socket nfmark
2007-07-11 14:25 ` Grant Taylor [this message]
2007-07-11 16:14 ` dean gaudet
2007-07-12 13:58 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4694E841.40906@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox