Hello, I am using the following iptables POSTROUTING rule to NAT some RFC 1918 addresses: iptables -t nat -A POSTROUTING -s 192.168.19.23 ! 192.168.0.0/255.255.0.0 -p tcp --dport 80 -j SNAT --to-source 10.32.4.2 (I am using SNAT instead of MASQUERADE for performance reasons). I have several addresses on the 192.168.0.0/16 subnet that I am SNAT'ing similarly. Problem is, 'tc -s filter show parent ffff: dev bond0' is reporting that the ingress qdisc rule's for each of these RFC1918 addresses are being bypassed: tc qdisc add dev bond0 ingress tc filter add dev bond0 parent ffff: protocol ip prio 10 u32 match ip dst 192.168.19.23/32 flowid 1:1 action police rate 100kbps burst 200kb drop However, the same lartc ingress filter rules work fine when run on the NAT gateway address (10.32.4.2). I suppose this means that the ingress filter is being run too early in the PREROUTING chain to catch the NAT'ed destination address. Is there a patch to change this behaviour? I've also tried using connmark to no avail. I would rather avoid using IMQ since my ingress QOS needs are pretty simple. Any suggestions? Thanks! Eser Chamoglu _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
