[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[altq 826] Re: The future of ALTQ, IPsec & IPFILTER playingtogether ...
Gunther Schadow wrote:
> However, I understand that ALTQ works in the data link layer at
> the interface to the NIC. IPsec, however, works above that layer,
> even before the IPFILTER rules (on outgoing packets.) So, we have
> the following "pipe"
> IPSEC -----> IPFILTER -------> ALTQ
> the problem is that ALTQ will only see IPSEC ESP packets. So,
> all the properties of the payload packets that allow me to
> define the ALTQ classes are now encapsulated in ESP and thus
> invisible to the ALTQ classifier.
In general, we don't recommend to use tunnels since it introduces too
much complexity and, as itojun said, there's no single solution for
all possible combinations.
For your requirements, it seems simpler to apply TOS marking
The TOS field of the IP header is available to the ALTQ classifier
even with ESP both in the transport mode and the tunnel mode.
(this is what diffserv is all about.)
You can mark the TOS (or IPv6 traffic class) field either by
- an application using setsockopt(2)
- a diffserv traffic conditioner on the ingress interface
(you will need another box for this)
Regarding classifier implementations,
Jason Thorpe and his colleagues at Zembu are working on a generic
programable classifer based on the BPF language.
I'd like to merge it into ALTQ when it becomes available.