Hi all. I''m using Jamal''s ifb virtual interface from new kernel. Redirecting incoming traffic from external interface like that: # tc [blahbla] match u32 0 0 flowid 1:0 action mirred egress redirect dev ifb0 to ifb to shape it. The problem is that I''m using MASQUERADE by netfilter also. That redirected traffic coming from internet gets to ifb _before_ DNAT is done. So I cannot filter or mark it in other way by ip dst address to differ between forwarded and incoming traffic to my node. Goal is to find a solution how to let tc filter find the difference between forwarded and incoming traffic in that redirected traffic coming to ifb device so shaping/queueing could be done elegantly :-) (well, infact this traffic goes off ifb device and then gets routed and masqed etc- by egress queue) Anybody got any nice ideas? Krzysztof
Krzysztof Matusik wrote:> Hi all. > > I''m using Jamal''s ifb virtual interface from new kernel. Redirecting incoming > traffic from external interface like that: > # tc [blahbla] match u32 0 0 flowid 1:0 action mirred egress redirect dev ifb0 > to ifb to shape it. > > The problem is that I''m using MASQUERADE by netfilter also. That redirected > traffic coming from internet gets to ifb _before_ DNAT is done. So I cannot > filter or mark it in other way by ip dst address to differ between forwarded > and incoming traffic to my node. > > Goal is to find a solution how to let tc filter find the difference between > forwarded and incoming traffic in that redirected traffic coming to ifb > device so shaping/queueing could be done elegantly :-) > (well, infact this traffic goes off ifb device and then gets routed and masqed > etc- by egress queue) > > Anybody got any nice ideas?You still need to use IMQ for this situation at this time. There has been talk of making an ematch that can get netfilter state. Andy.