On 19-08-2006 19:38, longraider wrote:
Hi
...
And all that I want to do is ingress queuing using IMQ. I want to fwmark packets according to their de-SNATed destination adress (and some other things also), and then put them into the IMQ ingress queue. I could use the packet matching available in the ingress queue itself (by ip tool), but I don't know if the packets that go into IMQ are de-SNATed or not.
IMQ can be configured, at which point of the traversal packets should be send to an IMQ pseudo-device (e.g. imq0). This diagram shows default variant (so called BA - Before PREROUTING - After POSTROUTING), which in my opinion isn't appropriate for common nat situations. So try to recompile your kernel after changing IMQ config to AB variant and it will see de-nated adresses both incoming (-j IMQ in PREROUTING) and outgoing (-j IMQ in POSTROUTING - beter don't use one imq device for both).
So, where the de-SNAT actually takes place?
But you rather should use tc filter then (on imq it is egress always). MARK (fwmark) will see incoming packets de-nated only begining from FORWARD or INPUT so to use it like you planed, you should add IMQ rule for incoming packets in POSTROUTING, which is impractical (and excludes INPUT part).
Jarek P.
