Hi,<br><br>I haven't the output of the "ls" with me.<br>The packet was fragment in three parts, and I send 40 packets and I can see 40 packets in the filter, 80 in the qdisc and 40 in the Iptables rule (mangle dscp). So, for me me Ingress QoS takes place before the NAT and the mangle table.
<br><br>I made other tests and I think I identified where the re-assembly of fragment packet is made.<br>I put a simple Iptables rule (mangle dscp) and I verify the conntrack was disable (unload the module). I send 40 packets fragmented in two parts in the interface eth0 (MTU 1000 and packets size 1028). The counter of the Iptables rule count 80 packets and the packets go out by the eth1 interface (MTU 1500) but the packets stay fragmented.
<br>If try this test with the conntrack module loaded, the counter of Iptables rule count 40 packets and the packets are re-assembled when they go out by the eth1 interface.<br>So, I think it's the conntrack system which re-assemble the fragmented packet.
<br><br><div><span class="gmail_quote">2007/7/2, nano bug <<a href="mailto:linnewbye@gmail.com">linnewbye@gmail.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello, <br>
<br>
Can you post a "tc -s -d filter ls dev nas0" ? <div><span class="e" id="q_1138779ae64e8a03_1"><br><br><br><div><span class="gmail_quote">On 7/2/07, <b class="gmail_sendername">Edouard Thuleau</b> <<a href="mailto:thuleau@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
thuleau@gmail.com</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Yes,<br>This one was for the DSCP re-marking :<br><br><span style="font-style: italic;">
iptables -t mangle -A PREROUTING -i nas0 -d <a href="http://192.168.43.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.43.2</a> -j DSCP --set-dscp 0x08</span><br style="font-style: italic;">
<br style="font-style: italic;"><span style="font-style: italic;"> $TC qdisc add dev nas0 handle ffff: ingress</span><br style="font-style: italic;"><span style="font-style: italic;"> $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match ip tos 0x20 0xff police rate 200kbit burst 1k drop flowid :1
</span><br><br>and this one with a DNAT rule :<br><br><span style="font-style: italic;"> iptables -t nat -A PREROUTING -i nas0 -p udp --dport 11112 -j DNAT --to-destination <a href="http://192.168.1.10" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.1.10</a>
</span><br style="font-style: italic;"><br style="font-style: italic;"><span style="font-style: italic;"> $TC qdisc add dev nas0 handle ffff: ingress</span><br style="font-style: italic;"><span style="font-style: italic;">
$TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match
ip dst <a href="http://192.168.1.10" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.10</a> police rate 200kbit burst 1k drop flowid :1</span><div><span>
<br><br><br><div><span class="gmail_quote">2007/7/2, nano bug <<a href="mailto:linnewbye@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">linnewbye@gmail.com
</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello, <br><br>Can you post the scripts you are using ?<div><span>
<br><br><div><span class="gmail_quote">On 7/2/07, <b class="gmail_sendername">Edouard Thuleau</b> <<a href="mailto:thuleau@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">thuleau@gmail.com
</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks,<br>
I know the older version of this diagram and this one is quite the same I told below
but the problem is the same for the DNAT. I made another test. I change
the DSCP value in the PREROUTING table and I put an ingress policing which match this new dscp value but the filter doesn't match nothing (I work on a Linux 2.6.17).<br>With my test, the older version (<a href="http://www.imagestream.com/%7Ejosh/PacketFlow.jpg" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.imagestream.com/~josh/PacketFlow.jpg</a>) of the diagram seams more exactly. <br><br>Have you an idea ?<br><br><div><span class="gmail_quote">2007/7/2, nano bug <<a href="mailto:linnewbye@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
linnewbye@gmail.com
</a>>:</span><div><span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello, <br><br>I find this one more useful :
<br><br><a href="http://www.imagestream.com/%7Ejosh/PacketFlow-new.png" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.imagestream.com/~josh/PacketFlow-new.png</a><br><br><div><div><span><span class="gmail_quote">On 7/2/07, <b class="gmail_sendername">
Edouard Thuleau</b> <<a href="mailto:thuleau@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">thuleau@gmail.com</a>> wrote:</span></span></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><span>
Hi,<br><br>I find this diagram which details the kernel packet traveling :<br><a href="http://www.docum.org/docum.org/kptd/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.docum.org/docum.org/kptd/
</a><br>Is it up to date ?<br>I made some test and I put a DNAT rules in the PREROUTING table of an interface and I attach it a ingress policy, the dst IP wasn't changed. the DNAT it isn't yet make.
<br><br>I've another question (I'm not sure is it the good mailing list), for the fragment packet, I see the ingress policy doesn't work correctly and I'd like to know where in the kernel travel of the packet the fragment are re-assemble ? At the NAT or in the routing ?
<br><br>Thanks,<br><span>Edouard.<br>
</span><br></span></div>_______________________________________________<br>LARTC mailing list<br><a href="mailto:LARTC@mailman.ds9a.nl" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">LARTC@mailman.ds9a.nl
</a><br><a href="http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc</a><br><br></blockquote></div><br>
</blockquote></span></div></div><br>
</blockquote></div><br>
</span></div></blockquote></div><br>
</span></div></blockquote></div><br>
</span></div></blockquote></div><br>