From: John Telford <John@JohnTelford.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?)
Date: Tue, 25 Jun 2002 15:47:46 +0000 [thread overview]
Message-ID: <marc-lartc-102502012602654@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102439647716068@msgid-missing>
I'd very much like to see this diagram again with all the updates.
Thanks ...John
On Tue, Jun 25, 2002 at 04:34:16PM +0200, Jan Coppens wrote:
> Hi all,
>
> Is it possible to mark packets (fwmark in mangle table of some sort) after
> ingress policing and before Input routing? I need the ingress policer
> (ingress queue), to filter and classify packets first, then the firewall has
> to filter them again and set the fwmark. All this has to be done before the
> packet reaches its "routing table".
>
> > > >
> > > > Network
> > > > -----------+-----------
> > > > |
> > > > +-------+------+
> > > > | mangle |
> > > > | PREROUTING | <- MARK REWRITE
> > > > +-------+------+
> > > > |
> > >
> > > ip rule is input routing, more correctly, part of the routing,
> > > not before nat PREROUTING
> > >
> > >
> > > > +-------+------+ Policy rule
> database
> > > > | PRDB | <- controlled by ip
> rule
> > > > +-------+------+
> > > > |
>
> At this point I should need another mangle table->
>
> > > > +-------+------+
> > > > | nat |
> > > > | PREROUTING | <- DEST REWRITE
> > > > +-------+------+
> > > > |
> > >
> > > You can add here ipchains FILTER and QoS Ingress :)
> > >
> > >
> > > > packet is for +-------+------+ packet is for
> > > > this address | INPUT | another address
> > > > +--------------+ ROUTING +---------------+
> > > > | +--------------+ |
> > > > +-------+------+ |
> > > > | filter | |
> > > > | INPUT | |
> > > > +-------+------+ |
> > > > | |
> > > > +-------+------+ |
> > > > | Local | |
> > > > | Process | |
> > > > +-------+------+ |
> > > > | |
> > > > +-------+------+ |
> > > > | OUTPUT |
> +-------+-------+
> > > > | ROUTING | | filter
> |
> > > > +-------+------+ | FORWARD
> |
> > > > |
> +-------+-------+
> > > > +-------+------+ |
> > > > | mangle | |
> > > > | OUTPUT | MARK REWRITE |
> > > > +-------+------+ |
> > > > | |
> > > > +-------+------+ |
> > > > | nat | |
> > > > | OUTPUT | DEST REWRITE |
> > > > +-------+------+ |
> > > > | |
> > > > +-------+------+ |
> > > >
> > > > | filter | |
> > > > | OUTPUT | |
> > > > +-------+------+ |
> > > > | |
> > > > | |
> > > > +----------------+ +--------------------+
> > > > | |
> > >
> > > Remove the forwarding from here, the both clones already
> > > performed selection of next hop (routing). Filter FORWARD was in the
> > > forwarding.
> > >
> > >
> > > > | |
> > > > +--+-------+---+
> > > > | | selection of the output
> > > > interface,
> > > > | FORWARDING | selection of the next
> hop,
> > > > +-------+------+ encapsulation, etc.
> > > > |
> > >
> > > Place for ipchains FILTER
> > >
> > >
> > > > |
> > > > +-------+------+
> > > > | nat |
> > > > | POSTROUTING | SOURCE REWRITE
> > > > +-------+------+
> > > > |
> > > > |
> > > > +-------+------+
> > > > | TRAFFIC |
> > > > | QUEUE | <- controlled by tc
> > > > +-------+------+
> > > > |
> > > > |
> > > > -----------+-----------
> > > > Network
> > > >
> > > > What's your opinion?
> > > >
> > > > > I'll not iterate this issue anymore. We already disturb
> > > > > the LARTC subscribers :)
> > > >
> > > > Honestly I don't think this kind of discussion disturbs the list;
> instead
> > > > avoid the list to become itself in a "cookbook" list.
> > > >
> > > > I use these tools: iproute2, iptables, cipe, lvs and tc. It would be
> very
> > > > pedagogyc to have a diagram showing how a packet transverse the kernel
> and
> > > > which tool controls each block of the diagram.
> > >
> > >
> http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-19.html#ss19.2
> 1
> > >
> > > after the 2.2 net diagram there are the places used from LVS. Of
> > > course, this info does not include the recent MANGLE extensions
> > > that work in all chains.
> > >
> > > > Best regards,
> > > >
> > > > Leonardo Balliache
> > >
> > > Regards
> > >
>
> Cheers,
>
> Jan
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
--
John Telford - Owner
JohnTelford.com LLC
503-292-6865 - fax:503-292-3094
john@johntelford.com - www.johntelford.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2002-06-25 15:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-18 10:34 [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?) Julian Anastasov
2002-06-20 0:19 ` Leonardo Balliache
2002-06-20 8:35 ` Julian Anastasov
2002-06-20 20:32 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output King Yung Tong
2002-06-25 14:34 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?) Jan Coppens
2002-06-25 15:47 ` John Telford [this message]
2002-06-25 18:16 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain Michael T. Babcock
2002-06-25 18:47 ` [LARTC] Re: iptables diagram (ex: ipchains + mark in output chain ?) Stef Coene
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102502012602654@msgid-missing \
--to=john@johntelford.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.