prerouting does not effect filtering

[reader <benthijssen@xxxxxxxxxxxxxxx>]

I try to shape traffic using HTB and mark packets within iptables using 
PREROUTING. But the filterrules seems to ignore the marks set with 
PREROUTING
Only POSTROUTING marks are accepted.

First my configuration

I have a router connected to the internet via ADSL over interface ppp0. 
eth0 is a tunnel to ppp0 and eth1 serves the LAN.
LAN is 192.168.57.0/24 on 10Mbit
ppp0 is  80.126.16.44 on 320Kbit upstream and 2048Kbit downstream


These are the kernel/programs involved:

Kernel 2.4.20 (Suse 8.2)
iproute version 2.4.7
iptables version 1.2.7a

Underneath the HTB script and a snapshot of the iptables script. The HTB 
script is executed on the beginning of the iptables script.

> # Configure HTB qdisc
> /usr/sbin/tc qdisc add dev eth1 root handle 1:0 htb default 30
> /usr/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 1960kbit burst 15k
> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 152kbit ceil 152kbit burst 2k prio 1
> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 950kbit ceil 1808kbit burst 15k prio 5
> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:30 htb rate 646kbit ceil 900kbit burst 15k prio 10
> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:40 htb rate 133kbit ceil 152kbit burst 15k prio 15
> /usr/sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
> /usr/sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10
> /usr/sbin/tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10
> /usr/sbin/tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10
> # Filter rules
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw flowid 1:10
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 2 fw flowid 1:10
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 4 fw flowid 1:20
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 5 fw flowid 1:20
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 8 fw flowid 1:30
> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 10 fw flowid 1:40

> # Snapshot off iptables script. scp and ssh as an exapmle
> # Standard policy is -j DROP
>
> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1 --dport 22 \
>      -m tos --tos Maximize-Throughput -j MARK --set-mark 10
> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1 --dport 22 \
>      -m tos --tos Minimize-Delay -j MARK --set-mark 2
>
> /usr/sbin/iptables -A FORWARD -p tcp -i eth1 -o ppp0 -s 192.168.57.0/24 \
>                          -d 0/0 --dport 22 -j ACCEPT
> /usr/sbin/iptables -A POSTROUTING -t nat -p tcp -o ppp0 -s 192.168.57.0/24  \
>                          -d 0/0 --dport 22 -j SNAT --to 80.126.16.44 

And the packages seem to be marked as intented:

 515 31080 MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS match 0x10 MARK set 0x2


But tc -s class show dev eth1 
says only htb 1:30 is used.

I get the feeling it is something with the POSTROUTING rule but can not 
work out what is wrong.

Thanks


Ben Thijssen.

_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/