From: King Yung Tong <tong@cs.dal.ca>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Re: iptables diagram (ex: ipchains + mark in output
Date: Thu, 20 Jun 2002 20:32:53 +0000 [thread overview]
Message-ID: <marc-lartc-102460528127873@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102439647716068@msgid-missing>
Hello all,
I am working for similar structure recently. In my cases, I am
working on IPSEC freeS/WAN. I just wonder, does anyone knows how IPSEC NAT
working on which hooks/filter/chain. Based on the testing I made, I
believe it is on NAT output.
One more question is when I use IPSEC, I guess all the packet will go to
"local process" (network layer) to encrypt and pass to outgoing interface.
If it is, is that means INPUT ROUTING is unless since all the packet (no
matter the destination is) will be go to the user sapce instead of
forwading chain.
Patrick
> >
> > Network
> > -----------+-----------
> > |
> > +-------+------+
> > | mangle |
> > | PREROUTING | <- MARK REWRITE
> > +-------+------+
> > |
>
> ip rule is input routing, more correctly, part of the routing,
> not before nat PREROUTING
>
>
> > +-------+------+ Policy rule database
> > | PRDB | <- controlled by ip rule
> > +-------+------+
> > |
> > +-------+------+
> > | nat |
> > | PREROUTING | <- DEST REWRITE
> > +-------+------+
> > |
>
> You can add here ipchains FILTER and QoS Ingress :)
>
>
> > packet is for +-------+------+ packet is for
> > this address | INPUT | another address
> > +--------------+ ROUTING +---------------+
> > | +--------------+ |
> > +-------+------+ |
> > | filter | |
> > | INPUT | |
> > +-------+------+ |
> > | |
> > +-------+------+ |
> > | Local | |
> > | Process | |
> > +-------+------+ |
> > | |
> > +-------+------+ |
> > | OUTPUT | +-------+-------+
> > | ROUTING | | filter |
> > +-------+------+ | FORWARD |
> > | +-------+-------+
> > +-------+------+ |
> > | mangle | |
> > | OUTPUT | MARK REWRITE |
> > +-------+------+ |
> > | |
> > +-------+------+ |
> > | nat | |
> > | OUTPUT | DEST REWRITE |
> > +-------+------+ |
> > | |
> > +-------+------+ |
> >
> > | filter | |
> > | OUTPUT | |
> > +-------+------+ |
> > | |
> > | |
> > +----------------+ +--------------------+
> > | |
>
> Remove the forwarding from here, the both clones already
> performed selection of next hop (routing). Filter FORWARD was in the
> forwarding.
>
>
> > | |
> > +--+-------+---+
> > | | selection of the output
> > interface,
> > | FORWARDING | selection of the next hop,
> > +-------+------+ encapsulation, etc.
> > |
>
> Place for ipchains FILTER
>
>
> > |
> > +-------+------+
> > | nat |
> > | POSTROUTING | SOURCE REWRITE
> > +-------+------+
> > |
> > |
> > +-------+------+
> > | TRAFFIC |
> > | QUEUE | <- controlled by tc
> > +-------+------+
> > |
> > |
> > -----------+-----------
> > Network
> >
> > What's your opinion?
> >
> > > I'll not iterate this issue anymore. We already disturb
> > > the LARTC subscribers :)
> >
> > Honestly I don't think this kind of discussion disturbs the list; instead
> > avoid the list to become itself in a "cookbook" list.
> >
> > I use these tools: iproute2, iptables, cipe, lvs and tc. It would be very
> > pedagogyc to have a diagram showing how a packet transverse the kernel and
> > which tool controls each block of the diagram.
>
> http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-19.html#ss19.21
>
> after the 2.2 net diagram there are the places used from LVS. Of
> course, this info does not include the recent MANGLE extensions
> that work in all chains.
>
> > Best regards,
> >
> > Leonardo Balliache
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2002-06-20 20:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-18 10:34 [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?) Julian Anastasov
2002-06-20 0:19 ` Leonardo Balliache
2002-06-20 8:35 ` Julian Anastasov
2002-06-20 20:32 ` King Yung Tong [this message]
2002-06-25 14:34 ` Jan Coppens
2002-06-25 15:47 ` John Telford
2002-06-25 18:16 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain Michael T. Babcock
2002-06-25 18:47 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?) Stef Coene
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102460528127873@msgid-missing \
--to=tong@cs.dal.ca \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.