Take a look at our WiKi FAQ for updated information on IMQ.
Also browse the following FAQ for the most frequently
asked questions in our mailing list. If you can't find an answer to
your problem here feel free to drop us a line in the list.
1. What can I do with IMQ ?
The imq device has two common usage cases:
With linux only egress shaping is possible (except for the ingress queue
which can only do rate limiting).
IMQ enables you to use egress qdiscs for real ingress shaping.
Shaping over multiple interfaces:
Qdiscs get attached to devices. A consequence of this is that one qdisc
can only handle traffic going to the interface it is attached to.
Sometimes it is desireable to have global limits on multiple interfaces.
With IMQ you can use iptables to specify which packets the qdiscs sees,
so global limits can be placed.
2. Which patchs should I apply to get IMQ working?
There are patchs for kernels 2.6 and 2.4. These patchs must be applied
to the sources and the IMQ options enabled before kernel compilation.
There is another important patch, for iptables. These one should be
applied to the lastest patch-o-matic from netfilter.org. It was tested
against patch-o-matic-20031219. Then running ./runme extra gives the
option to apply the IMQ patch to the iptables source. Don't forget to
recompile and install iptables and its libraries.
With those patchs applied and the kernel and iptables recompiled with the
right options enabled, IMQ will work fine.
Please report any problems you find out.
3. Is it stable?
It seems to be pretty stable, a lot of people are using it without
There is one case which is not entirely clear at this time, enqueueing
packets going to a gre tunnel and also enqueueing the encapsulated
to the same imq device results in the kernel assuming the gre device to
Another thing to note is that touching localy generated traffic may cause
4. When do packets reach the device (qdisc) ?
The imq device registers NF_IP_PRE_ROUTING (for ingress) and
NF_IP_POST_ROUTING (egress) netfilter hooks.
These hooks are also registered by iptables. Hooks can be registered
with different priorities which determine the order in which the
functions will be called. Packet delivery to the imq device in
NF_IP_PRE_ROUTING happens directly after the mangle table has been passed
(not in the table itself!). In NF_IP_POST_ROUTING packets reach the
after ALL tables have been passed. This means you will be able to use
marks for classifying incoming and outgoing packets. Packets seen in
NF_IP_PRE_ROUTING include the ones that will be dropped by packet
later (since they already occupied bandwidth), in NF_IP_POST_ROUTING only
packets which already passed packet filtering are seen.
5. Common seen messages/errors
kernel: ip_queue: initialisation failed: unable to create
kernel: ip6_queue: initialisation failed: unable to create
The imq device feeds itself packets through netfilter queueing mechanism.
At the moment there can only be one netfilter queue per protocol family
this means imq came first and ip(6)_queue cannot register as PF_INET(6)
kernel: nf_hook: Verdict = QUEUE.
You have compiled your kernel with CONFIG_NETFILTER_DEBUG=y.
Turn it off to get rid of these messages.
iptables v1.2.6a: Couldn't load target
`IMQ':/usr/local/lib/iptables/libipt_IMQ.so: cannot open shared object
No such file or directory
You haven't patched/rebuilt/installed iptables correct. The iptables IMQ
target shared libs are only built if your kernel tree has been patched
include the IMQ target using patch-o-matic before. If you took the
precompiled shared libraries you haven't copied them to the right
6. I get some errors applying IMQ patchs to my Debian kernel source. What
is going on?
Norbert Buchmuller pointed out that Debian kernel-source-* packages are
not the same as the kernel.org kernels. These kernels have some patchs
applied on then, so the IMQ patch fails on skbuff.h. Following is a snip
from his e-mails about this issue:
Debian's kernel-source-* packages are not the same as the vanilla
kernel.org kernels. These kernels have some patches applied on them (eg.
patches for discovered exploits).
In that particular case, the '__unused' member is used up by one of those
patches, and then you have to allocate a new member for IMQ. You can make
the changes by hand (on that particular file).
But if you use make-kpkg for the compilation, you are in luck, because
I've managed to create a kernel-patch-imq Debian package. Then you can
compile the kernel like this:
make-kpkg --revision=neptunus --added-patches=imq binary-arch
What do you need for this:
[If you were using Woody, you had to install kernel-patch-scripts from
testing manually. (Because there's no kernel-patch-scripts package in
Woody. Fortunately it has no dependencies, and works well with Woody's
kernel-package). The whole thing is far not as complicated as it sounds:
dpkg -i kernel-patch-scripts_0.99.32_all.deb
Add these lines to /etc/apt/sources.list (the second is optional):
deb http://www.nix.hu/debian/ woody kernel-patch-imq
deb-src http://www.nix.hu/debian/ woody kernel-patch-imq
apt-get install kernel-patch-imq
and then you can use the patch with make-kpkg.
If not using make-kpkg, you can take out the modified patch from the
Debian package, of course. (But why not use make-kpkg, if you can?:-)
The other component you may need is a patched version of Debian's iptables
package. You can fetch a version for Woody (in theory, it may work for
Sarge, but I haven't tried it) from my site as well:
add these lines to /etc/apt/sources.list (the second is optional):
deb http://www.nix.hu/debian/ woody iptables+imq
deb-src http://www.nix.hu/debian/ woody iptables+imq
I'll try my best to be in sync with the upstream. Drop me a mail, if
something does not work. (I'm aware that the versioning of the iptables
package is broken, I'll fix it soon.)
One more thing to be exact (as a FAQ must be): on the 2.6 series kernels
the unmodified patches apply cleanly (at least until 2.6.3, which is the
latest I've tried). From (at least) 2.4.21 - 2.4.25 only the modified
7. How to apply IMQ patch to iptables >= 1.2.9?
The IMQ patch for iptables-1.2.9 must be applied directly to its source
from netfilter.org not to patch-o-matic anymore.
- Download iptables-1.2.9-imq1.diff patch to the iptables source directory
- In iptables source directory apply the patch using:
patch -p1 < iptables-1.2.9-imq1.diff
chmod +x extensions/.IMQ-test*
make KERNEL_DIR=<kernel_source_directory> install
- Check that libipt_IMQ.so has being copied to the iptables lib directory
- Recompile your kernel