[LARTC] simple questions about imq

Tóth Nándor nug@sch.bme.hu
Tue, 01 Feb 2005 06:44:17 +0100 

Hi!

Andy Furniss wrote:
>  Can i put these rules to the POSTROUTING chain?
> 
>>
>> And i can still have my CLASSIFY targets in the POSTROUTING chain, 
>> because IMQ queing will happen after it according to 
>> http://lartc.org/howto/lartc.imq.html.
>> So for example:
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN
>>
>> If i managed to do this, i promise, i will document it to the imq wiki.
>>
>> Any advice/help is appreciated!
>>
> 
> You need to jump to imq in postrouting, classify should be done first ok 
> try and see.

Ok will try it.

> If you only want to shape forwarded traffic you could mark/classify 
> using -i and -o in forward and then match on mark/class and -j IMQ in 
> postrouting, it will only really matter if you have shaper to lan 
> traffic you want to exclude from imq.
> 
> I don't see why you are classifying to the same class or need return. If 
> you have two seperate internet links you still need two nonsharing 
> queues added to the imq device.

Yes, i have two non-sharing queues(*) now, too. I mark the packets in 
PREROUTING, so i can classify them to the appropiate queue in postrouting.

The rules up there are just examples.

I need RETURN, because i have overlapping rules, so packets would be 
classified twice (the second classify will be the valid, isn't it?).
Like:
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn 
-m length --length 40:68 -j CLASSIFY --set-class 1:9
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn 
-m length --length 40:68 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 
22 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 
22 -j RETURN

Is this a stupid way to do this? I get this from the LARTC howto :)
http://lartc.org/howto/lartc.cookbook.fullnat.intro.html
"We have done a -j RETURN so packets don't traverse all rules"

Thanks, for the clarifying!

-- 
Udv,
   Nandor

* If anyone is curious:

HTB main 5000+120+250kbps
  --- Child1 5000kbps for the DMZ
  --- Child2 120kbps first internet line
  --- Child3 250 kbps second internet line