thr3ads.net - LARTC - filter ingress policy based on nfmark [Jun 2005]

If this information is useful, please help other people find it:
Share via:

Martin Vassilev

2005-Jun-01 08:56 UTC

filter ingress policy based on nfmark

Hi all.
Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t 
work.
Sorry for my english.

Simple example:

iptables  -t mangle -I PREROUTING -j MARK --set-mark 1

${QDISC_ADD} handle ffff: ingress
${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
police rate 128Kbit burst 10k drop flowid 2:11

# tc -s -d qdisc ls dev eth0
qdisc ingress ffff: ----------------
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

# iptables -t mangle -L -n -v
pkts bytes target     prot opt in     out     source               destination
 1362  293K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0
MARK set 0x1

No problems at 2.4 kernel.

-- 
Best Regards,
Martin Vassilev
NetSurf.net Ltd.

Andy Furniss

2005-Jun-01 21:31 UTC

head link

Re: filter ingress policy based on nfmark

Martin Vassilev wrote:> Hi all.
> Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t
> work.
> Sorry for my english.
> 
> Simple example:
> 
> iptables  -t mangle -I PREROUTING -j MARK --set-mark 1
> 
> ${QDISC_ADD} handle ffff: ingress
> ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \
> police rate 128Kbit burst 10k drop flowid 2:11
> 
> # tc -s -d qdisc ls dev eth0
> qdisc ingress ffff: ----------------
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> 
> # iptables -t mangle -L -n -v
> pkts bytes target     prot opt in     out     source              
destination
>  1362  293K MARK       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> MARK set 0x1
> 
> No problems at 2.4 kernel.
> 
On 2.6 whether policer sees marks or not depends on your kernel config.

If you don''t select classifier actions then you get the 2.4 behavior.

Andy.

Martin Vassilev

2005-Jun-02 09:25 UTC

head link

Re: filter ingress policy based on nfmark

On Thursday 02 June 2005 00:31, you wrote:
>
> On 2.6 whether policer sees marks or not depends on your kernel config.
>
> If you don''t select classifier actions then you get the 2.4
behavior.
>
> Andy.
Many thanks.

-- 
Best Regards,
Martin Vassilev
NetSurf.net Ltd.

Andy Furniss

2005-Jun-02 09:48 UTC

head link

Re: filter ingress policy based on nfmark

Martin Vassilev wrote:> On Thursday 02 June 2005 00:31, you wrote:
> 
> 
>>On 2.6 whether policer sees marks or not depends on your kernel config.
>>
>>If you don''t select classifier actions then you get the 2.4
behavior.
>>
>>Andy.
> 
> 
> Many thanks.
> 
Oops it''s called packet action in the menu not classifier actions its 
CONFIG_NET_CLS_ACT which when deselected should allow you to select 
traffic policing rather than policing actions.

Andy.

Apparently Analagous Threads

Search for more maybe matching threads

LARTC - Jun 2005 - filter ingress policy based on nfmark

filter ingress policy based on nfmark

Re: filter ingress policy based on nfmark

Re: filter ingress policy based on nfmark

Re: filter ingress policy based on nfmark

Apparently Analagous Threads