Hi all, Is it possible to mark packets (fwmark in mangle table of some sort) after ingress policing and before Input routing? I need the ingress policer (ingress queue), to filter and classify packets first, then the firewall has to filter them again and set the fwmark. All this has to be done before the packet reaches its "routing table". > > > > > > Network > > > -----------+----------- > > > | > > > +-------+------+ > > > | mangle | > > > | PREROUTING | <- MARK REWRITE > > > +-------+------+ > > > | > > > > ip rule is input routing, more correctly, part of the routing, > > not before nat PREROUTING > > > > > > > +-------+------+ Policy rule database > > > | PRDB | <- controlled by ip rule > > > +-------+------+ > > > | At this point I should need another mangle table-> > > > +-------+------+ > > > | nat | > > > | PREROUTING | <- DEST REWRITE > > > +-------+------+ > > > | > > > > You can add here ipchains FILTER and QoS Ingress :) > > > > > > > packet is for +-------+------+ packet is for > > > this address | INPUT | another address > > > +--------------+ ROUTING +---------------+ > > > | +--------------+ | > > > +-------+------+ | > > > | filter | | > > > | INPUT | | > > > +-------+------+ | > > > | | > > > +-------+------+ | > > > | Local | | > > > | Process | | > > > +-------+------+ | > > > | | > > > +-------+------+ | > > > | OUTPUT | +-------+-------+ > > > | ROUTING | | filter | > > > +-------+------+ | FORWARD | > > > | +-------+-------+ > > > +-------+------+ | > > > | mangle | | > > > | OUTPUT | MARK REWRITE | > > > +-------+------+ | > > > | | > > > +-------+------+ | > > > | nat | | > > > | OUTPUT | DEST REWRITE | > > > +-------+------+ | > > > | | > > > +-------+------+ | > > > > > > | filter | | > > > | OUTPUT | | > > > +-------+------+ | > > > | | > > > | | > > > +----------------+ +--------------------+ > > > | | > > > > Remove the forwarding from here, the both clones already > > performed selection of next hop (routing). Filter FORWARD was in the > > forwarding. > > > > > > > | | > > > +--+-------+---+ > > > | | selection of the output > > > interface, > > > | FORWARDING | selection of the next hop, > > > +-------+------+ encapsulation, etc. > > > | > > > > Place for ipchains FILTER > > > > > > > | > > > +-------+------+ > > > | nat | > > > | POSTROUTING | SOURCE REWRITE > > > +-------+------+ > > > | > > > | > > > +-------+------+ > > > | TRAFFIC | > > > | QUEUE | <- controlled by tc > > > +-------+------+ > > > | > > > | > > > -----------+----------- > > > Network > > > > > > What's your opinion? > > > > > > > I'll not iterate this issue anymore. We already disturb > > > > the LARTC subscribers :) > > > > > > Honestly I don't think this kind of discussion disturbs the list; instead > > > avoid the list to become itself in a "cookbook" list. > > > > > > I use these tools: iproute2, iptables, cipe, lvs and tc. It would be very > > > pedagogyc to have a diagram showing how a packet transverse the kernel and > > > which tool controls each block of the diagram. > > > > http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-19.html#ss19.2 1 > > > > after the 2.2 net diagram there are the places used from LVS. Of > > course, this info does not include the recent MANGLE extensions > > that work in all chains. > > > > > Best regards, > > > > > > Leonardo Balliache > > > > Regards > > Cheers, Jan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
