LARTC - May 2002 - Re: IMQ

Hi !

Odri Kornel wrote:
> Hi, 
> 
> I''m trying to set up a QoS over two logical devices. Imq would be
great, but
> my problem is that it''s using POSTROUTING rules and I''m
already using SNAT
> wich also requires it. 
I don''t see where the problem is, NAT is an iptables table, IMQ is a 
network device. The IMQ iptables target just marks the packet in 
POSTROUTING to be enqueued, the actual enqueueing/dequeueing happens 
later (after all tables have been passed). The only thing you have to be 
aware of is that for outgoing packets the mangle table (marking) will 
see the original source ip while any u32/whatever filters attached to 
the imq device will get the packets already SNATed, but thats just like 
with regular network devices.

Bye,
Patrick

Hi.

Odri Kornel wrote:
> Thank you for your quick answer.
> 
> My problem was that although imq is a device it is called via iptables like
a
> table just as snat. As far as I know if iptables finds a matching rule, it 
> jumps out of the chain, and does not process the other rules. Is this where
I
> made a mistake? I haven''t found any description about this...
Yes this is not true. If a packet is not explicit dropped / accepted it 
continues traversal. Think about the MARK target, in fact the IMQ target 
is just a modified MARK target.
Also, the imq device is not called via iptables, iptables is just used 
for specifying that the current packet should pass through the imq 
device at a later point. The IMQ device feeds itself through netfilter 
hooks, so in theory you could f.e. mark all IPX/whatever packets 
somewhere during their processing and they would pass the imq device, too.
> So, youre saying, that the packet will be processed trough the other 
> postrouting rules after being marked by the mangle rule?
> 
> For ex.:
> 
> iptables -t mangle -A POSTROUTING -o eth0 -j IMQ
> iptables -t mangle -A POSTROUTING -o ipsec0 -j IMQ
> iptables -t nat -A POSTROUTING -j SNAT ...
> 
> This should work?
Yes.
Bye,
Patrick