Hello,

I have recently been working with a kind of "virtual machines" using Linux Control Groups. I need to set limits to applications running on a cluster. I managed to limit egress traffic using the net_cls and tc queueing. Now I am dealing with the ingress shaping. I have noticed that ingress shaping for a specific group cannot be done since packets from the outside are not marked to belong to a cgroup. I think that the best thing I can do is ingress shaping with IMQ devices. I already patched and compiled Kernel 3.1.10 and iptables 1.4.12. I did enable necessary (I believe) kernel options.
The IMQ devices are there, up and when I do
sar -n DEV 1
I can see that the link from eth0 to imq0 has been successfully established since they have coordinated activity, but the packets are not enqueued correctly, I think, since I do not see any reduction in the download speed.
For testing settings I am copying a ~75MB file from one computer to another with scp ... ... and the transfer speed is the same when do not run and when I run the following script:

#!/bin/bash

# Erase previous iptables settings.
/usr/local/sbin/iptables -t nat -F ; /usr/local/sbin/iptables -t nat -X
/usr/local/sbin/iptables -F ; /usr/local/sbin/iptables -X
/usr/local/sbin/iptables -t mangle -F ; /usr/local/sbin/iptables -t mangle -X
# Erase previous qdisc settings.
tc qdisc del dev imq0 root

# Link interface with an IMQ virtual device.
/usr/local/sbin/iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0

# Build hierarchy of classes.
tc qdisc add dev imq0 handle 1: root htb default 1
tc class add dev imq0 parent 1: classid 1:1 htb rate 1mbit ceil 1.5mbit
tc class add dev imq0 parent 1:1 classid 1:11 htb rate 1mbit ceil 1.5mbit

# Mark packets.
/usr/local/sbin/iptables -t mangle -A PREROUTING -i imq0 -p tcp \
--sport ssh -j MARK --set-mark 11

# Add filter to enqueue marked packets.
tc filter add dev imq0 parent 1:1 protocol ip handle 11 fw classid 1:11

What is wrong? Thank you for any help