lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 28 Mar 2007 18:54:52 +0200
From:	Jens Thiele <>
Cc:, Jamal Hadi Salim <>,
Subject: traffic shaping with NAT: IFB as IMQ replacement?


Sorry for the many Ccs, but I hope to reach all parties involved.
I want to do traffic shaping with NAT and I wanted to do it with IFB
instead of IMQ [1]. I tried a lot of things but now I am stuck (and
maybe confused).

The setup:
               eth0             eth1
WAN/(Internet) <-> Linux Router <-> LAN

Linux router:
- does NAT for the LANs
- runs local processes communicating with the WAN/Internet

Incoming and outgoing traffic on eth0 should be subject to "traffic
shaping". I put quotes here, because it seems the term policing would
be used for the incoming traffic directed at the router itself. It is
not an ideal solution to drop incoming packets, but assuming TCP,
intelligent dropping ("shaping") is still much better than plain rate
limiting or no action at all. (see also parts of [2]). If there is a
better solution than "ingress shaping" available or being worked on,
please tell me.

First of all: Why is it difficult?
Because you can't use the advanced qdics (htb, cbq, ...) on ingres
directly (only the ingress "qdisc").

Using IMQ it is quite straightforward to work around this limitation.

It seems IFB is intented as IMQ replacement [3]

I managed to use IFB as IMQ replacement in a setup without NAT.
But when NAT is involved I am in trouble because when I want to classify
the packets they still have the translated addresses. I could live with
the translated addresses if I could use netfilter connection tracking
information to classify the packets [4]. This was also discussed in the
thread [3]:

Jamal Hadi Salim writes:
> [...] Instead the plan is to have a contrack related action. This
> action will selectively either query/create contrack state on incoming packets.
> Packets could then be redirected to dummy based on what happens -> eg 
> on incoming packets; if we find they are of known state we could send to
> a different queue than one which didnt have existing state. This
> all however is dependent on whatever rules the admin enters. [...] "

I tried something like:
tc filter add dev ... match all ... \
   action ipt -j CONNMARK --restore-mark \
   action ipt -j LOG --log-prefix "..." \
   action continue
tc filter add dev ... handle <some-mark> \
   action ipt -j LOG --log-prefix "..."

to no avail. I couldn't find any information whether this is possible
now or what steps it would take to implement this?


similar threads on the LARTC mailing list:
(many more)

[1] IMQ:
[2] "shaping":
[3] IFB: netdev mailing list thread "dummy as IMQ replacement"
    Message-Id: 1107123123.8021.80.camel@...y.localdomain

[4] Note: I think using the old policer [Symbol: NET_CLS_POLICE [=n] Prompt: Traffic
Policing (obsolete)] this maybe works? It seems ingress policing happens
after netfilter PREROUTING if you use NET_CLS_POLICE but using
NET_CLS_ACT it happens before netfilter PREROUTING?
(see also: sch_ingress.c and
But then again it is marked as obsolete and I need NET_CLS_ACT to
redirect to the IFB?!
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists