From: Leonardo Balliache <leoball@opalsoft.net>
To: lartc@vger.kernel.org
Subject: [LARTC] ipchains + mark in output chain ?
Date: Mon, 17 Jun 2002 18:55:33 +0000 [thread overview]
Message-ID: <marc-lartc-102434038105050@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102389248503844@msgid-missing>
On Wed, 12 Jun 2002 16:48:22 +0200 Stef Coene, answering to Ludovic Drolez
wrote:
>> Can I do mark them on the output chain (ipchains -A output -i ppp0 -m
>> 100) and still have QoS working properly ?
> Yes you can.
>> In other words, what does the kernel:
>> - packet -> input(mark) -> forward -> output(mark) -> qos/egress
> Yep
Nop again. I understand what Stef is trying to say but it could be confused
because you are using input(mark) to refer to prerouting.
Really does not exist such a path input -> forward -> output -> qos thru
the kernel.
Exists the path prerouting -> forward -> postrouting.
I have seen people in the list trying to use Linux as a router and applying
iptables over the INPUT and OUTPUT chains when those are not transversed by
packets when the box is a router; just use FORWARD.
If you are trying to say that input(mark) is the chain for marking packets
before entering the kernel use instead PREROUTING to keep things clear for
all of us.
This diagram, subject to discusion and improvement for more experimented
people in the list to be depurated, can help to clarify things:
Network
-----------+-----------
|
+-------+------+
| mangle |
| PREROUTING |
+-------+------+
|
+-------+------+ Policy rule database
| PRDB | <- controlled by ip rule
+-------+------+
|
+-------+------+
| nat |
| PREROUTING |
+-------+------+
|
packet is for +-------+------+ packet is for
this address | ROUTING | another address
+--------------+ DECISION ? +---------------+
| +--------------+ |
+-------+------+ |
| filter | |
| INPUT | |
+-------+------+ |
| |
+-------+------+ |
| Local | |
| Process | |
+-------+------+ |
| |
+-------+------+ +------+------+
| mangle | | filter |
| OUTPUT | | FORWARD |
+-------+------+ +------+------+
| |
+-------+------+ |
| nat | |
| OUTPUT | |
+-------+------+ |
| |
+-------+------+ |
| filter | |
| OUTPUT | |
+-------+------+ |
| +--------------+ |
+--------------+ ROUTING +---------------+
| DECISION ? | <- controlled by ip route
+-------+------+
|
+-------+------+
| nat |
| POSTROUTING |
+-------+------+
|
+-------+------+
| TRAFFIC |
| QUEUE | <- controlled by tc
+-------+------+
|
-----------+-----------
Network
After all of us agree the diagram could be published at Stef site (with his
permission, of course) to be have as a reference to people using the list.
Also, Ludovic, I really recommend you to migrate from ipchains to iptables.
Last is a lot better code, well designed and clearer to understand than
ipchains. Really try to do it.
Best regards,
Leonardo Balliache
leoball@opalsoft.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2002-06-17 18:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-12 14:32 [LARTC] ipchains + mark in output chain ? Ludovic Drolez
2002-06-12 14:48 ` Stef Coene
2002-06-17 18:55 ` Leonardo Balliache [this message]
2002-06-17 19:11 ` Julian Anastasov
2002-06-17 19:20 ` Ciprian Niculescu
2002-06-17 19:31 ` Julian Anastasov
2002-06-17 19:42 ` Ciprian Niculescu
2002-06-17 20:35 ` Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102434038105050@msgid-missing \
--to=leoball@opalsoft.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.