From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?T=F3th_N=E1ndor?= Date: Tue, 01 Feb 2005 05:44:17 +0000 Subject: Re: [LARTC] simple questions about imq Message-Id: <41FF1731.70201@sch.bme.hu> List-Id: References: <41FD1304.1080305@sch.bme.hu> In-Reply-To: <41FD1304.1080305@sch.bme.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi! Andy Furniss wrote: > Can i put these rules to the POSTROUTING chain? > >> >> And i can still have my CLASSIFY targets in the POSTROUTING chain, >> because IMQ queing will happen after it according to >> http://lartc.org/howto/lartc.imq.html. >> So for example: >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN >> >> If i managed to do this, i promise, i will document it to the imq wiki. >> >> Any advice/help is appreciated! >> > > You need to jump to imq in postrouting, classify should be done first ok > try and see. Ok will try it. > If you only want to shape forwarded traffic you could mark/classify > using -i and -o in forward and then match on mark/class and -j IMQ in > postrouting, it will only really matter if you have shaper to lan > traffic you want to exclude from imq. > > I don't see why you are classifying to the same class or need return. If > you have two seperate internet links you still need two nonsharing > queues added to the imq device. Yes, i have two non-sharing queues(*) now, too. I mark the packets in PREROUTING, so i can classify them to the appropiate queue in postrouting. The rules up there are just examples. I need RETURN, because i have overlapping rules, so packets would be classified twice (the second classify will be the valid, isn't it?). Like: $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:9 $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn -m length --length 40:68 -j RETURN $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 22 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 22 -j RETURN Is this a stupid way to do this? I get this from the LARTC howto :) http://lartc.org/howto/lartc.cookbook.fullnat.intro.html "We have done a -j RETURN so packets don't traverse all rules" Thanks, for the clarifying! -- Udv, Nandor * If anyone is curious: HTB main 5000+120+250kbps --- Child1 5000kbps for the DMZ --- Child2 120kbps first internet line --- Child3 250 kbps second internet line _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/