| Version 5 (modified by ejhernandez@…, 6 years ago) (diff) |
|---|
Traffic shaping to ingress traffic
Benefits
- Ingress shaping
- Applied at step 4
- Global policy to several interfaces
- Currently, not applicable to eBox
How to apply
- Linux kernel patches
- with IMQ options enabled when compiling kernel source
- Iptables patches
- compile Iptables sources with the IMQ patch before compiling the Linux kernel
More information http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/HowToInstall (Quite Debian Etch specific).
Known issues (IMPORTANT!)
The current kind of traffic provokes kernel panics with IMQ installed:
- GRE tunneling
- IPSec traffic
- Local generated traffic (including user space programs)
Workaround to make work Samba traffic, which is considered as locally generated:
iptables -t mangle -A POSTROUTING -o eth0 -s ! 192.168.100.100 -j IMQ --todev imq0 iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev imq0(Where 192.168.100.100 is IMQ machine; eth0 is internal interface)
More information at http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/ImqFaq FAQ.
Introduces some delay since all incoming traffic should pass two queues (normal interface and the new virtual interface).
Usage
- Loading IMQ module
modprobe imq numdevs=8
- Bring up IMQ
ip link set imq'n' up
- Do the traffic shaping rules as at egress traffic
- Direct traffic to that virtual interface
iptables -t mangle -A PREROUTING -i <iface> -j IMQ --todev n
More information at http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/HowToUse.
Internal functionality
IMQ is a 'dummy' interface which works as a virtual interface to shape incoming (ingress) traffic. To achieve so, some iptables rules are needed to direct packets to that interface which they are reordered (doing the shaping). These rules are processed after the other iptables commands. For ingress, the rules are processed just after the mangle rules. For egress, the imq rules are matched after all other iptables rules.
More information at LARTC FAQ.
