* [LARTC] tc filter and fwmark
@ 2002-12-02 9:55 Andrei Boros
2002-12-03 10:39 ` Stef Coene
0 siblings, 1 reply; 2+ messages in thread
From: Andrei Boros @ 2002-12-02 9:55 UTC (permalink / raw)
To: lartc
Suppose:
ipchains -A forward -s inside_net -d 0/0 -j MASQ -m 100
(similar setup with iptables:
iptables -A PREROUTING -t nat -s inside_net -d 0/0 -j SNAT
iptables -A PREROUTING -t nat -s inside_net -d 0/0 -j MARK --set_mark
100)
eth0 = outside iface
eth1 = inside iface
now:
tc filter add dev eth0 ... handle 100 fw
should catch packets marked by the above rule in ipchains (iptables).
Ok. When the packet returns, the masq/nat code will find it in it's
table and demasquerade it (as if by an invisible inverse rule).
Question:
Will the demasqueraded packets also bear the mark 100?
And will
tc filter add dev eth1 handle 100 fw
Work?
I am probably missing something, as I haven't been able to make it work
this way.
Any suggestions, please?
I want to shape the incoming traffic that I route for my inside network
on the inside iface with queues and more complex shaping, rather then
just a plain drop on the outside iface.
Thank you.
--
ing. Andrei Boros
mailto:andrei@srr.ro / +40-21-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] tc filter and fwmark
2002-12-02 9:55 [LARTC] tc filter and fwmark Andrei Boros
@ 2002-12-03 10:39 ` Stef Coene
0 siblings, 0 replies; 2+ messages in thread
From: Stef Coene @ 2002-12-03 10:39 UTC (permalink / raw)
To: lartc
On Monday 02 December 2002 10:55, Andrei Boros wrote:
> Suppose:
>
> ipchains -A forward -s inside_net -d 0/0 -j MASQ -m 100
>
> (similar setup with iptables:
> iptables -A PREROUTING -t nat -s inside_net -d 0/0 -j SNAT
> iptables -A PREROUTING -t nat -s inside_net -d 0/0 -j MARK --set_mark
> 100)
>
> eth0 = outside iface
> eth1 = inside iface
>
> now:
> tc filter add dev eth0 ... handle 100 fw
> should catch packets marked by the above rule in ipchains (iptables).
>
> Ok. When the packet returns, the masq/nat code will find it in it's
> table and demasquerade it (as if by an invisible inverse rule).
> Question:
> Will the demasqueraded packets also bear the mark 100?
No. The mask only exists =ion the firewall. If a packet leaves the firewall,
the information is gone.
> And will
> tc filter add dev eth1 handle 100 fw
> Work?
No.
> I am probably missing something, as I haven't been able to make it work
> this way.
> Any suggestions, please?
> I want to shape the incoming traffic that I route for my inside network
> on the inside iface with queues and more complex shaping, rather then
> just a plain drop on the outside iface.
You have to mark the packets if they come from the internet. So the mark is
still available if you want to shape the packets if they leave eth1.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-12-03 10:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-02 9:55 [LARTC] tc filter and fwmark Andrei Boros
2002-12-03 10:39 ` Stef Coene
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.