[LARTC] Ingress qdisc bypassed on SNAT'ed traffic?

To:	lartc@mailman.ds9a.nl
Subject:	[LARTC] Ingress qdisc bypassed on SNAT'ed traffic?
From:	EKC <webmaster@generalsynthesis.com>
Date:	Sun, 5 Nov 2006 19:46:15 -0800
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=fdcRCvtbdtJh3BQDcuT20H06RbUYg2Cl6bmQ0yoRlEdnSqZ9tvWls8zM6Ss9T9omVIAI1OFAJ0iNS9cPya8axqHCQxmgoKrsastYPFUjSs6APZ1gHUEH3WO0isWz1IMApRjIE2M2pLJOxBbr8jqb+/o7cdx6qMNMyH6S6baVLb8=
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Sender:	lartc-bounces@mailman.ds9a.nl

Hello,

I am using the following iptables POSTROUTING rule to NAT some RFC
1918 addresses:

iptables -t nat -A POSTROUTING -s 192.168.19.23 !
192.168.0.0/255.255.0.0 -p tcp --dport 80 -j SNAT --to-source
10.32.4.2

(I am using SNAT instead of MASQUERADE for performance reasons).
I have several addresses on the 192.168.0.0/16 subnet that I am
SNAT'ing similarly.

Problem is, 'tc -s filter show parent ffff: dev bond0' is reporting
that the ingress qdisc rule's for each of these RFC1918 addresses are
being bypassed:

tc qdisc add dev bond0 ingress
tc filter add dev bond0 parent ffff: protocol ip prio 10 u32 match ip
dst 192.168.19.23/32 flowid 1:1 action police rate 100kbps burst 200kb
drop

However, the same lartc ingress filter rules work fine when run on the
NAT gateway address (10.32.4.2).

I suppose this means that the ingress filter is being run too early in
the PREROUTING chain to catch the NAT'ed destination address. Is there
a patch to change this behaviour?

I've also tried using connmark to no avail.

I would rather avoid using IMQ since my ingress QOS needs are pretty simple.

Any suggestions?

Thanks!

Eser Chamoglu
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, EKC <= Re: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, Mohan Sundaram Re: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, EKC Re: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, Andy Furniss

Previous by Date:	Re: SPAM Re: [LARTC] Need new way to improve SMP scalability for network router, Marek Kierdelewicz
Next by Date:	Re: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, Mohan Sundaram
Previous by Thread:	Re: SPAM Re: [LARTC] Need new way to improve SMP scalability for network router, Marek Kierdelewicz
Next by Thread:	Re: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic?, Mohan Sundaram
Indexes:	[Date] [Thread] [Top] [All Lists]