Date: Wed, 02 May 2001 14:38:38 +0900 From: Kenjiro Cho <kjc@csl.sony.co.jp> To: gunther@aurora.regenstrief.org Cc: snap-users@kame.net, freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp Subject: Re: [altq 806] The future of ALTQ, IPsec & IPFILTER playing together ... Message-ID: <20010502143838P.kjc@csl.sony.co.jp> In-Reply-To: <3AEEEE79.8F7CC7B0@aurora.regenstrief.org> References: <3AEEEE79.8F7CC7B0@aurora.regenstrief.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Gunther Schadow wrote: > However, I understand that ALTQ works in the data link layer at > the interface to the NIC. IPsec, however, works above that layer, > even before the IPFILTER rules (on outgoing packets.) So, we have > the following "pipe" > > IPSEC -----> IPFILTER -------> ALTQ > > the problem is that ALTQ will only see IPSEC ESP packets. So, > all the properties of the payload packets that allow me to > define the ALTQ classes are now encapsulated in ESP and thus > invisible to the ALTQ classifier. In general, we don't recommend to use tunnels since it introduces too much complexity and, as itojun said, there's no single solution for all possible combinations. For your requirements, it seems simpler to apply TOS marking beforehand. The TOS field of the IP header is available to the ALTQ classifier even with ESP both in the transport mode and the tunnel mode. (this is what diffserv is all about.) You can mark the TOS (or IPv6 traffic class) field either by - an application using setsockopt(2) or - a diffserv traffic conditioner on the ingress interface (you will need another box for this) Regarding classifier implementations, Jason Thorpe and his colleagues at Zembu are working on a generic programable classifer based on the BPF language. I'd like to merge it into ALTQ when it becomes available. -Kenjiro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010502143838P.kjc>