I asked Patrick about NAT and IMQ and he referred me to an archive
post on this:
http://mailman.ds9a.nl/pipermail/lartc/2002q3/004725.html
I have applied this patch and it is working as expected.
Contents included below:
This is a multi-part message in MIME format.
--------------020001010800070707090803
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
sorry last patch was broken, this one is ok.
patrick
Patrick McHardy wrote:
> Hi Daniel,
>
> Daniel Sercaianu wrote:
>
>> I have the following problems:
>> I cannot shape the ip xxx.xxx.xxx.xxx when I do SNAT or MASQUERADE
with
>> them. Otherwise when I remove these two iptables lines the shaping
works
>> perfectly.
>>
>> It is very important for me to shape the xxx.xxx.xxx.xxx ip and not
the
>> yyy.yyy.yyy.yyy. When I tried to shape yyy.yyy.yyy.yyy, it worked.
>>
>> What rules should be added to make this possible?
>>
>>
>> My iptables rules are:
>>
>> iptables -A PREROUTING -t mangle -s xxx.xxx.xxx.xxx -j MARK
--set-mark 1
>> iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx -j SNAT --to
>> zzz.zzz.zzz.zzz -o eth4
>>
>>
>>
>> iptables -t mangle -I PREROUTING -j IMQ
>> ip link set imq0 up
>>
>>
>> ip rule shows the following output:
>>
>> 32764: from zzz.zzz.zzz.0/24 lookup ew
>> 32765: from all fwmark 1 lookup ew
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>>
>>
>>
>> My tc + htb rule look like this:
>>
>> /sbin/tc qdisc add dev imq0 root handle 1: htb default 200 r2q 3
>> /sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb rate 100Mbit
>> ceil 100Mbit burst 2k prio 5
>>
>> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 handle 1:
>> u32 divisor 256
>>
>> /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 512kbit
>> ceil 512kbit burst 2k prio 5
>> /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: sfq quantum 1514b
>> perturb 10
>> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match
>> ip dst xxx.xxx.xxx.xxx flowid 1:2
>
>
>
> If i understood you right this is probably not working because imq sees
> packets before zzz.zzz.zzz.zzz is dnated back to xxx.xxx.xxx.xxx. please
> try the attached patch.
>
>
> bye
>
> patrick
>
>
> ------------------------------------------------------------------------
>
> --- imq.c.origSun Aug 11 15:30:24 2002
> +++ imq.cSun Aug 11 15:31:17 2002
> @@ -37,7 +37,7 @@
> imq_nf_hook,
> PF_INET,
> NF_IP_PRE_ROUTING,
> -NF_IP_PRI_MANGLE + 1
> +NF_IP_PRI_NAT_DST + 1
> };
>
> static struct nf_hook_ops imq_egress_ipv4 = {
> @@ -54,7 +54,7 @@
> imq_nf_hook,
> PF_INET6,
> NF_IP6_PRE_ROUTING,
> -NF_IP6_PRI_MANGLE + 1
> +NF_IP6_PRI_NAT_SRC + 1
> };
>
> static struct nf_hook_ops imq_egress_ipv6 = {
>
--------------020001010800070707090803
Content-Type: text/plain;
name="imqnat.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="imqnat.diff"
--- imq.c.origSun Aug 11 15:30:24 2002
+++ imq.cSun Aug 11 15:31:17 2002
@@ -37,7 +37,7 @@
imq_nf_hook,
PF_INET,
NF_IP_PRE_ROUTING,
-NF_IP_PRI_MANGLE + 1
+NF_IP_PRI_NAT_DST + 1
};
static struct nf_hook_ops imq_egress_ipv4 = {
@@ -54,7 +54,7 @@
imq_nf_hook,
PF_INET6,
NF_IP6_PRE_ROUTING,
-NF_IP6_PRI_MANGLE + 1
+NF_IP6_PRI_NAT_DST + 1
};
static struct nf_hook_ops imq_egress_ipv6 = {
--------------020001010800070707090803--
At 01:24 24/03/2003 +0100, you wrote:>Hello
>
>I have a server with a dsl connection on eth1 and local interface eth0.
>Because of the NAT i cannot direct traffic to IMQ device in PREROUTING chain
>but have to use INPUT and FORWARD. So i use rules.
>
>iptables -t mangle -A INPUT -i eth1 -j IMQ --todev 0
>iptables -t mangle -A FORWARD -i eth1 -j IMQ --todev 0
>
>And now the strange thing: FORWARD traffic gets directed nicely to the IMQ,
>but INPUT *doesn''t* !
>
>To be just sure i removed "FORWARD" line and left only the
"INPUT" (other
>mangle rules were removed)
>
>Chain INPUT (policy ACCEPT 3511 packets, 2753307 bytes)
> pkts bytes target prot opt in out source
>destination
> 343 439847 IMQ all -- eth1 any anywhere
>anywhere IMQ: todev 0
>
>But when i check IMQ0 using ifconfig:
>
>imq0 Link encap:UNSPEC HWaddr
>00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> UP RUNNING NOARP MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:30
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
>i see there is no traffic going through this device!
>
>Anyone knows how can it be possible ?
>
>--
>best regards,
>Marcin ''Yans'' Bazarnik
>yans@majora.net
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_____________________________________________________________
David Watson, Network Manager, Team17 Software Ltd.
Phone: +44-1924-267776 Fax: +44-1924-267658
_____________________________________________________________
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/