I'd very much like to see this diagram again with all the updates. Thanks ...John On Tue, Jun 25, 2002 at 04:34:16PM +0200, Jan Coppens wrote: > Hi all, > > Is it possible to mark packets (fwmark in mangle table of some sort) after > ingress policing and before Input routing? I need the ingress policer > (ingress queue), to filter and classify packets first, then the firewall has > to filter them again and set the fwmark. All this has to be done before the > packet reaches its "routing table". > > > > > > > > > Network > > > > -----------+----------- > > > > | > > > > +-------+------+ > > > > | mangle | > > > > | PREROUTING | <- MARK REWRITE > > > > +-------+------+ > > > > | > > > > > > ip rule is input routing, more correctly, part of the routing, > > > not before nat PREROUTING > > > > > > > > > > +-------+------+ Policy rule > database > > > > | PRDB | <- controlled by ip > rule > > > > +-------+------+ > > > > | > > At this point I should need another mangle table-> > > > > > +-------+------+ > > > > | nat | > > > > | PREROUTING | <- DEST REWRITE > > > > +-------+------+ > > > > | > > > > > > You can add here ipchains FILTER and QoS Ingress :) > > > > > > > > > > packet is for +-------+------+ packet is for > > > > this address | INPUT | another address > > > > +--------------+ ROUTING +---------------+ > > > > | +--------------+ | > > > > +-------+------+ | > > > > | filter | | > > > > | INPUT | | > > > > +-------+------+ | > > > > | | > > > > +-------+------+ | > > > > | Local | | > > > > | Process | | > > > > +-------+------+ | > > > > | | > > > > +-------+------+ | > > > > | OUTPUT | > +-------+-------+ > > > > | ROUTING | | filter > | > > > > +-------+------+ | FORWARD > | > > > > | > +-------+-------+ > > > > +-------+------+ | > > > > | mangle | | > > > > | OUTPUT | MARK REWRITE | > > > > +-------+------+ | > > > > | | > > > > +-------+------+ | > > > > | nat | | > > > > | OUTPUT | DEST REWRITE | > > > > +-------+------+ | > > > > | | > > > > +-------+------+ | > > > > > > > > | filter | | > > > > | OUTPUT | | > > > > +-------+------+ | > > > > | | > > > > | | > > > > +----------------+ +--------------------+ > > > > | | > > > > > > Remove the forwarding from here, the both clones already > > > performed selection of next hop (routing). Filter FORWARD was in the > > > forwarding. > > > > > > > > > > | | > > > > +--+-------+---+ > > > > | | selection of the output > > > > interface, > > > > | FORWARDING | selection of the next > hop, > > > > +-------+------+ encapsulation, etc. > > > > | > > > > > > Place for ipchains FILTER > > > > > > > > > > | > > > > +-------+------+ > > > > | nat | > > > > | POSTROUTING | SOURCE REWRITE > > > > +-------+------+ > > > > | > > > > | > > > > +-------+------+ > > > > | TRAFFIC | > > > > | QUEUE | <- controlled by tc > > > > +-------+------+ > > > > | > > > > | > > > > -----------+----------- > > > > Network > > > > > > > > What's your opinion? > > > > > > > > > I'll not iterate this issue anymore. We already disturb > > > > > the LARTC subscribers :) > > > > > > > > Honestly I don't think this kind of discussion disturbs the list; > instead > > > > avoid the list to become itself in a "cookbook" list. > > > > > > > > I use these tools: iproute2, iptables, cipe, lvs and tc. It would be > very > > > > pedagogyc to have a diagram showing how a packet transverse the kernel > and > > > > which tool controls each block of the diagram. > > > > > > > http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-19.html#ss19.2 > 1 > > > > > > after the 2.2 net diagram there are the places used from LVS. Of > > > course, this info does not include the recent MANGLE extensions > > > that work in all chains. > > > > > > > Best regards, > > > > > > > > Leonardo Balliache > > > > > > Regards > > > > > Cheers, > > Jan > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- John Telford - Owner JohnTelford.com LLC 503-292-6865 - fax:503-292-3094 john@johntelford.com - www.johntelford.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
