[strongSwan] question on prioritizing traffic with iproute2 tc and strongswan

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 21 08:15:19 CEST 2011

Hello Lyle,

the following DiffServ scenario might give you some ideas on
how to do the prioritizing using XFRM marks:




On 06/21/2011 12:39 AM, lyle492 at comcast.net wrote:
> I would like to prioritize certain traffic based on transport
> protocol and port number.  When I use tc filter rules that
> place the filter on a non-ipsec interface, the prioritization
> happens.  When I change the interface to one that has only
> ipsec traffic over it, all traffic is then sent from the
> "everything else" queue.  Very simple case: two queues, one 
> gets priority over the other, no bandwidth metering or other
> complications.  I surmised that tc filters don't
> "see" outgoing packets until after encapsulation, when they
> are encrypted.  Is this correct?  What is the preferred way
> to do this?  Use iptables, mark the traffic and use tc rules
> that choose based on this mark instead?
> Thank you.
> --lyle

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list