LARTC - Oct 2001 - MARKing according to both net. interfaces?

[I had no success on the netfilter mailing list so may be here? I
don''t think there is a mailing list devoted to tc?]


In order to later shape the traffic with tc, I''m trying to use
iptables to mark traffic with a condition on both network interfaces
(in and out).

iptables -t mangle -A PREROUTING -p tcp -i eth4 -o eth5 -j MARK --set-mark 0x4 

is accepted but ipchains -v shows that no packets are marked. I assume
this is because, in PREROUTING, you don''t know the output interface
yet.

1) Am I correct?

2) Why is it accepted if it cannot work?

3) Is there a solution, since the mangle table only has OUTPUT (where
-i is not accepted) and PREROUTING? (FreeBSD zealots keep screaming to
me that it works fine with FreeBSD.)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 25 October 2001 15:58, you wrote:
> [I had no success on the netfilter mailing list so may be here? I
> don''t think there is a mailing list devoted to tc?]
>
>
> In order to later shape the traffic with tc, I''m trying to use
> iptables to mark traffic with a condition on both network interfaces
> (in and out).
>
> iptables -t mangle -A PREROUTING -p tcp -i eth4 -o eth5 -j MARK --set-mark
> 0x4
>
iptables
> is accepted but ipchains -v shows that no packets are marked. I assume
> this is because, in PREROUTING, you don''t know the output
interface
> yet.
Why the hell are you involving ipchains into this?=) ipchains != iptables. 
They are mutually exclusive. If one works, the other wont work properly. To 
list the iptables chains do iptables -L. To list the mangle table do iptables 
- -t mangle -L. 
>
> 1) Am I correct?
>
No=).
> 2) Why is it accepted if it cannot work?
>
It does work. However, you used two mutually exclusive commands to make the 
command and to list the commands. Also, the rule only marks packets going 
from the network on eth4 to network on eth5. Are you sure there is any 
packets going in those directions?.
> 3) Is there a solution, since the mangle table only has OUTPUT (where
> -i is not accepted) and PREROUTING? (FreeBSD zealots keep screaming to
> me that it works fine with FreeBSD.)
>
OUTPUT is broken. Use PREROUTING. Packets doing the above wouldn''t
travel
through the mangle table OUTPUT chain either.

Anyways, hope this helps.
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> http://ds9a.nl/2.4Routing/
- -- 
 ----------------------------------- 
|Oskar Andreasson                   |
|Multisoft Education AB             |
|http://www.libendo.com             |
|phone: +46-8-6635555               |
|mailto: o.andreasson@libendo.com   |
 ----------------------------------- 
BOFH excuse #172:

pseudo-user on a pseudo-terminal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE72TBbxO3KTTz2r/kRAk1uAJ940W+DHpo+itxt5355IhStaak+2wCfds6J
OfJjpJErV+A66XRtWXiMV0c=gKaE
-----END PGP SIGNATURE-----

On Fri, Oct 26, 2001 at 11:43:51AM +0200,
 Oskar Andreasson <blueflux@koffein.net> wrote 
 a message of 79 lines which said:
> > is accepted but ipchains -v shows that no packets are marked. I
It was a typo, I meant iptables.
> Why the hell are you involving ipchains into this?=) ipchains !iptables.
I know, it was just a typo, I used only iptables. Same question.
> OUTPUT is broken. Use PREROUTING. 
Did you try by yourself?