1a) Is it possible/recommended to ACCEPT/DROP/REJECT in mangle FORWARD?
Yes, it's possible. It's generally regarded as good firewall hygiene to only "transform" packets in the mangle table and make ACCEPT/DROP/REJECT decisions in the filter table - but there are definitely exceptions.
1b) Is it possible/recommended to MARK in filter FORWARD?
No. MARK is only valid in the mangle table.
2) Can i safely put SFQ on a HTB leaf?
Yes.
3) It appears that only packets that are not conntracked traverse the nat table, is this correct?
Yes, that's true. Once NAT'ing has been associated with a particular connection, further packets associated with that connection will automatically undergo the same transformation.
4) Does mangle OUTPUT happen before or after routing?
The best illustration for this on the entire net is the KPTD figure on www.docum.org. From this picture, you can see that this happens *before* routing.
5) When exactly in the packet traversal do egress shaping happen? After mangle
POSTROUTING? After nat POSTROUTING?
See the same figure. Traffic control occurrs before and after firewall traversal.
6) Recommendations on handling the massive number of connections created by P2P? When P2P classes need to stop borrowing from higher priority classes, the sheer number of connections appear to create some latency.
I don't have a ready answer for this.
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
