On Wed, 12 Jun 2002 16:48:22 +0200 Stef Coene, answering to Ludovic Drolez
wrote:
>> Can I do mark them on the output chain (ipchains -A output -i ppp0 -m
>> 100) and still have QoS working properly ?
> Yes you can.
>> In other words, what does the kernel:
>> - packet -> input(mark) -> forward -> output(mark) -> qos/egress
> Yep
Nop again. I understand what Stef is trying to say but it could be confused
because you are using input(mark) to refer to prerouting.
Really does not exist such a path input -> forward -> output -> qos thru
the kernel.
Exists the path prerouting -> forward -> postrouting.
I have seen people in the list trying to use Linux as a router and applying
iptables over the INPUT and OUTPUT chains when those are not transversed by
packets when the box is a router; just use FORWARD.
If you are trying to say that input(mark) is the chain for marking packets
before entering the kernel use instead PREROUTING to keep things clear for
all of us.
This diagram, subject to discusion and improvement for more experimented
people in the list to be depurated, can help to clarify things:
Network
-----------+-----------
|
+-------+------+
| mangle |
| PREROUTING |
+-------+------+
|
+-------+------+ Policy rule database
| PRDB | <- controlled by ip rule
+-------+------+
|
+-------+------+
| nat |
| PREROUTING |
+-------+------+
|
packet is for +-------+------+ packet is for
this address | ROUTING | another address
+--------------+ DECISION ? +---------------+
| +--------------+ |
+-------+------+ |
| filter | |
| INPUT | |
+-------+------+ |
| |
+-------+------+ |
| Local | |
| Process | |
+-------+------+ |
| |
+-------+------+ +------+------+
| mangle | | filter |
| OUTPUT | | FORWARD |
+-------+------+ +------+------+
| |
+-------+------+ |
| nat | |
| OUTPUT | |
+-------+------+ |
| |
+-------+------+ |
| filter | |
| OUTPUT | |
+-------+------+ |
| +--------------+ |
+--------------+ ROUTING +---------------+
| DECISION ? | <- controlled by ip route
+-------+------+
|
+-------+------+
| nat |
| POSTROUTING |
+-------+------+
|
+-------+------+
| TRAFFIC |
| QUEUE | <- controlled by tc
+-------+------+
|
-----------+-----------
Network
After all of us agree the diagram could be published at Stef site (with his
permission, of course) to be have as a reference to people using the list.
Also, Ludovic, I really recommend you to migrate from ipchains to iptables.
Last is a lot better code, well designed and clearer to understand than
ipchains. Really try to do it.
Best regards,
Leonardo Balliache
leoball@opalsoft.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
