[LARTC] Packet marking for ingress shapping and NAT

Patrick Spousta spousta@brn.czn.cz
Mon, 10 May 2004 14:31:10 +0200 

Andreas Klauer wrote:

> Am Monday 10 May 2004 12:10 schrieb Patrick Spousta:
> 
>>So I need mark packets to divide them to corresponding queue.
> 
> 
> That's all right so far. But the qdisc that shapes incoming traffic usually 
> sits on your LAN device.

I think you are wrong. Shapping can sits on all interfaces, physical and 
logical. IMQ is logical interface.

> 
> 
>>It has a small problem. After PREROUTING some packets are routed to
>>INPUT (packets intended for this machine for local processes)
>>
>>Does exists solution how to NAT and MARK in PREROUTING, but in this
>>order?
> 
> 
> I'm not sure if I understand what you want to do. Why do you want to mark 

My linux box has 1 WAN interface (to ISP with public IP address) and 3 
LAN interfaces (with private IP addresses). Only way how to shape 
incoming traffic is use IMG device because shapping is provided on 
egress. I understood that packet 'path' looks like this

eth0 -> kernel -> IMQ -> kernel -> ethX
                       ^^^ here is 'egress' where I can do shapping.

But I need divide traffic to the corresponding queues according to real 
destination IP. Maybe I don't need marking, I can only use tc filter, 
but it must be done in place where packet has real destination IP, ie. 
behind (de)NAT.

To IMQ 'interface' I put packets via iptables. Ideal in PREROUTING 
chain, but I think I can use only 'mange' table and that is before 'nat' 
:-( So now I'm using FORWARD chain but local traffic is going outside of 
shapping path

> INPUT packets? There is no qdisc/class to put them in. As for shaping 
> incoming traffic that doesn't get forwarded to the LAN, I haven't found a 
> proper solution to do that yet. So all I can do is make sure that the 
> router doesn't produce any traffic (e.g. don't put a Webserver or similar 
> services on it).

But it isn't goor solution :-(

Patrick

> 
> Andreas
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
>