Bill, : Is there a flow diagram as to where tc actions take place with : respect to NAT and other iptables functions on a multihomed box : (private & public NICs) ? Are tc filter rules consulted before or : after NATing? For simplicity's sake, let's just talk about packets leaving the box (transmit only). All iptables functions have taken place by the time the traffic control functions are called. There are a number of different diagrams which cover this in different ways. The KPTD [0], which Stef has already mentioned, the Packet Flow diagram [1], which deal with the bridging, brouting stuff as well, an older 2.4 packet traversal diagram [2], and my recent diagram of just the netfilter system [3]. : My real interest is in basic understanding first, and then : solving a real problem second. Well...further on the self-promotion front--if understanding is what you seek, then maybe also my Traffic Control HOWTO would be handy. It's available at TLDP [4]. : Example: : Firewall Public NIC 123.123.123.1 : Firewall Private NIC 192.168.168.1 : Dedicated Video Conferencing equipment @ 192.168.168.100 : : I'd like to write a rule that says any traffic emanating from the : private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit : as the traffic heads out on to the Internet to find the other end of the : Video Conference. : : The shaping occurs on the Public NIC, but the only address I have to : work with is a private address. By time the traffic hits the public NIC : and tc rules are applied, I suspect the packet no longer has a source IP : of private .100, but has been NAT'd to the public NIC address. There's : no way to distinguish private .100's traffic via IP address. by time the : tc filters are queried. Is that correct? That is correct, but you can always use the fwmark. : What methods are available to do this? I can think of marking all : the packets on the private side then looking for the marks on the : public side. Or, NAT private.100 to a specific Public IP and then : write rules for that new Public IP. What other options are there? As far as I know, these are the two best options. If you don't wish to mess around with marking, the NAT option seems a very good and sensible way to go. If you haven't used tc much, I'd recommend tcng [5]. It's far simpler to use (and more intuitive) once you have it installed. Though I haven't tested the below, I could see something like this as a starting point for your experimentation. If you wished to cap the video bandwidth at 128k, you could simply use the same parameter for the rate and ceil (videobw). #define private eth0 #define public eth1 /* assume that the NAT for the video server is separate from the source IP of the remainder of the traffic */ #define videobox 192.168.168.100 #define videopub 123.123.123.100 #define videobw 128000 bps #define halft1 772000 bps #define fullt1 1544000 bps /* this should take care of shaping download traffic */ dev private { egress { class ( <$video> ) if ip_src == videobox ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { /* guarantee videobw to $video, allow full usage */ $video = class ( rate videobw, ceil fullt1 ) ; /* guarantee half the t1 to other traffic */ $other = class ( rate halft1, ceil fullt1 ) ; } } } } /* this should take care of shaping upload traffic */ dev public { egress { class ( <$video> ) if ip_src == videopub ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { $video = class ( rate videobw, ceil fullt1 ) ; $other = class ( rate halft1, ceil fullt1 ) ; } } } } Good luck! -Martin [0] http://www.docum.org/docum.org/kptd/ [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png [2] http://open-source.arkoon.net/kernel/kernel_net.png [3] http://linux-ip.net/nf/nfk-traversal.png [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/ [5] http://tcng.sourceforge.net/ -- Martin A. Brown --- Wonderfrog Enterprises --- martin@xxxxxxxxxxxxxx _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/