hi alexis,
i -- THINK -- that this is how it happens.
cheers
charles
On Fri, 2004-09-03 at 20:12, Alexis wrote:
> Hi all, ive been reading lartc howto, im new about traffic
> shaping/police.
>
> As far as red (chapter 9 complete) i saw that first the packet passes
> at the ingress qdisc, then it passes to the ip stack if the packet is
> directed to the box or its forwarded (is my case), then it falls to
> the egress classifier/s.
>
> Now, i understand if i have an ipsec vpn at the outside interface, the
> egress classifiers will act before the packet leave the kernel and
> enter to the vpn tunnel, is this correct?
>
> Here's my situation , i have a "headquarter" box that is a database
> (to call it with a name) and then a lot of branches that send queries
> to this database and based on the results, the branches send packets
> to other branches trough some established IPSEC tunnels. So, hq is the
> route database, and the branches send voice traffic to other branches.
>
> Now i have to set traffic shaping and manage the bandwith for
> senialization and for voice flows (rtp flows). So i need to be shure
> that i can classify the packets at the outside interface before them
> enters to the vpn tunnel.
>
> is this correct?
>
>
> Thanks in advance.
>
>
> --
> Alexis
Title: Welcome on docum.org
Kernel Packet Traveling Diagram
Network
-----------+-----------
|
+--------------------------+
+-------+-------+ +---------+---------+
| IPCHAINS | | IPTABLES |
| INPUT | | PREROUTING |
+-------+-------+ | +-------+-------+ |
| | | conntrack | |
| | +-------+-------+ |
| | | mangle | | <- MARK WRITE
| | +-------+-------+ |
| | | IMQ | |
| | +-------+-------+ |
| | | nat | | <- DEST REWRITE
| | +-------+-------+ | DNAT or REDIRECT or DE-MASQUERADE
| +---------+---------+
+--------------------------+
|
+-------+-------+
| QOS |
| INGRESS |
+-------+-------+
|
|
|
+-----------+---------------+
| if dst ip via ipsec |
| put on ipsecX interface |
+-----------+---------------+
|
packet is for +-------+-------+ packet is for
this machine | INPUT | another address
+--------------+ ROUTING +--------------+
| | + PDBB | |
| +---------------+ |
+-------+-------+ |
| IPTABLES | |
| INPUT | |
| +-----+-----+ | |
| | mangle | | |
| +-----+-----+ | |
| | filter | | |
| +-----+-----+ | to iptables prerouting |
+-------+-------+ ^ |
| | |
| | |
+---------------+ yes +----------+ |
| esp packet |-------| decrypt | |
+---------------+ +----------+ |
| |
| no |
| +---------------------------+
+-------+-------+ +-------+-------+ +-------+-------+
| Local | | IPCHAINS | | IPTABLES |
| Process | | FORWARD | | FORWARD |
+-------+-------+ +-------+-------+ | +-----+-----+ |
| | | | mangle | | <- MARK WRITE
+-------+-------+ | | +-----+-----+ |
| OUTPUT | | | | filter | |
| ROUTING | | | +-----+-----+ |
+-------+-------+ | +-------+-------+
| +---------------------------+
+-------+-------+ |
| IPTABLES | |
| OUTPUT | |
| +-----------+ | |
| | conntrack | | |
| +-----+-----+ | |
| | mangle | | <- MARK WRITE |
| +-----+-----+ | |
| | nat | | <-DEST REWRITE |
| +-----+-----+ | DNAT or REDIRECT |
| | filter | | |
| +-----+-----+ | |
+-------+-------+ |
| |
+----------------------+----------------------+
|
+--------------------------+
+-------+-------+ +---------+---------+
| IPCHAINS | | IPTABLES |
| OUTPUT | | POSTROUTING |
+-------+-------+ | +-------+-------+ |
| | | mangle | | <- MARK WRITE
| | +-------+-------+ |
| | | nat | | <- SOURCE REWRITE
| | +-------+-------+ | SNAT or MASQUERADE
| | | IMQ | |
| | +-------+-------+ |
| +---------+---------+
+--------------------------+
| |
+------+------+
| QOS |
| EGRESS |
+------+------+ to iptables postrouting
| ^
| |
| |
+---------+-----------+ yes +---------+
| interface is ipsecX |---------------| encrypt |
+---------------------+ +---------+
|
| no
|
|
-----------+-----------
Network
- Name of firewall chain (in bold)
- Controlled by iptables/ipchains (in blue)
- Controlled by ip/tc (in red)
