On Sun, 2009-12-20 at 19:47 -0700, Justin Pryzby wrote: > > It should be easy,
Careful. :-) > just do the shaping on the TUN device. Which achieves the goal of prioritizing within the tunnel, yes. However... > Depending > on the details of your setup, perhaps also put the remote VPN host(s)' > external IP tcp/1194 into a high-priority class for the external > interface with a guaranteed minimum RATE sufficient to handle such > high-prio traffic. No. That's unacceptable. That would mean that all traffic in the OpenVPN tunnel (including bulkish transfers, like say site->site backup, etc.) would get the priority of VOIP (or whatever else you decided your priority band was for) and starve out other equally low priority traffic outside the tunnel. What needs to happen is that marking for priority needs to be carried up from the unencapsulated packet to the corresponding openvpn packet, but given that openvpn is userspace, I don't see that likely to happen. I wonder if IPsec, with the luxury of being all in the kernel supports such a thing. I wonder if there is any API support at all for being able to push a packet into kernel-space from user-space including a mark, even if run as root. b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
