From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Watson Date: Tue, 25 Mar 2003 10:12:17 +0000 Subject: Re: [LARTC] IMQ MIME-Version: 1 Content-Type: multipart/mixed; boundary="------------020001010800070707090803" Message-Id: List-Id: References: In-Reply-To: To: lartc@vger.kernel.org I asked Patrick about NAT and IMQ and he referred me to an archive post on this: http://mailman.ds9a.nl/pipermail/lartc/2002q3/004725.html I have applied this patch and it is working as expected. Contents included below: This is a multi-part message in MIME format. --------------020001010800070707090803 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit sorry last patch was broken, this one is ok. patrick Patrick McHardy wrote: > Hi Daniel, > > Daniel Sercaianu wrote: > >> I have the following problems: >> I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE with >> them. Otherwise when I remove these two iptables lines the shaping works >> perfectly. >> >> It is very important for me to shape the xxx.xxx.xxx.xxx ip and not the >> yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked. >> >> What rules should be added to make this possible? >> >> >> My iptables rules are: >> >> iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK --set-mark 1 >> iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to >> zzz.zzz.zzz.zzz -o eth4 >> >> >> >> iptables -t mangle -I PREROUTING -j IMQ >> ip link set imq0 up >> >> >> ip rule shows the following output: >> >> 32764: from zzz.zzz.zzz.0/24 lookup ew >> 32765: from all fwmark 1 lookup ew >> 32766: from all lookup main >> 32767: from all lookup default >> >> >> >> >> My tc + htb rule look like this: >> >> /sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3 >> /sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate 100Mbit >> ceil 100Mbit burst 2k prio 5 >> >> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle 1: >> u32 divisor 256 >> >> /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 512kbit >> ceil 512kbit burst 2k prio 5 >> /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum 1514b >> perturb 10 >> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match >> ip dst xxx.xxx.xxx.xxx flowid 1:2 > > > > If i understood you right this is probably not working because imq sees > packets before zzz.zzz.zzz.zzz is dnated back to xxx.xxx.xxx.xxx. please > try the attached patch. > > > bye > > patrick > > > ------------------------------------------------------------------------ > > --- imq.c.origSun Aug 11 15:30:24 2002 > +++ imq.cSun Aug 11 15:31:17 2002 > @@ -37,7 +37,7 @@ > imq_nf_hook, > PF_INET, > NF_IP_PRE_ROUTING, > -NF_IP_PRI_MANGLE + 1 > +NF_IP_PRI_NAT_DST + 1 > }; > > static struct nf_hook_ops imq_egress_ipv4 = { > @@ -54,7 +54,7 @@ > imq_nf_hook, > PF_INET6, > NF_IP6_PRE_ROUTING, > -NF_IP6_PRI_MANGLE + 1 > +NF_IP6_PRI_NAT_SRC + 1 > }; > > static struct nf_hook_ops imq_egress_ipv6 = { > --------------020001010800070707090803 Content-Type: text/plain; name="imqnat.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="imqnat.diff" --- imq.c.origSun Aug 11 15:30:24 2002 +++ imq.cSun Aug 11 15:31:17 2002 @@ -37,7 +37,7 @@ imq_nf_hook, PF_INET, NF_IP_PRE_ROUTING, -NF_IP_PRI_MANGLE + 1 +NF_IP_PRI_NAT_DST + 1 }; static struct nf_hook_ops imq_egress_ipv4 = { @@ -54,7 +54,7 @@ imq_nf_hook, PF_INET6, NF_IP6_PRE_ROUTING, -NF_IP6_PRI_MANGLE + 1 +NF_IP6_PRI_NAT_DST + 1 }; static struct nf_hook_ops imq_egress_ipv6 = { --------------020001010800070707090803-- At 01:24 24/03/2003 +0100, you wrote: >Hello > >I have a server with a dsl connection on eth1 and local interface eth0. >Because of the NAT i cannot direct traffic to IMQ device in PREROUTING chain >but have to use INPUT and FORWARD. So i use rules. > >iptables -t mangle -A INPUT -i eth1 -j IMQ --todev 0 >iptables -t mangle -A FORWARD -i eth1 -j IMQ --todev 0 > >And now the strange thing: FORWARD traffic gets directed nicely to the IMQ, >but INPUT *doesn't* ! > >To be just sure i removed "FORWARD" line and left only the "INPUT" (other >mangle rules were removed) > >Chain INPUT (policy ACCEPT 3511 packets, 2753307 bytes) > pkts bytes target prot opt in out source >destination > 343 439847 IMQ all -- eth1 any anywhere >anywhere IMQ: todev 0 > >But when i check IMQ0 using ifconfig: > >imq0 Link encap:UNSPEC HWaddr >00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > UP RUNNING NOARP MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:30 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > >i see there is no traffic going through this device! > >Anyone knows how can it be possible ? > >-- >best regards, >Marcin 'Yans' Bazarnik >yans@majora.net > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _____________________________________________________________ David Watson, Network Manager, Team17 Software Ltd. Phone: +44-1924-267776 Fax: +44-1924-267658 _____________________________________________________________ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/