search for: kptd

hi all, could someone describe where the encryption & de-encryption is in the kptd? thanks! charles _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi! I would like to thank very much for this great page with Kernel Packet Traveling Diagram and to suggest small update concerning IMQ. I think the sentence: "IMQ in input comes before nat so IMQ does not know the real ip address. Ingress comes after nat, so ingress knows the real ip address." could be more precise like that: "By default IMQ in PREROUTING comes before nat and

Hello all, My question: - - - - - - - Does anybody know when the reverse path filtering occurs as the packet traverses the kernel? Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not? Does it only happen at route selection time? What I have tried to do to find the answer: - - - - - - - - - - - - - - - - - - - - - - I find a posting (from many years ago) [0], which suggests that this

Hi, I have 2 internet connections (1 adsl/1 cable). I am try to route all outgoing mail from the mail server (on the same box), through the ADSL connection routing through the cable will mean mail will get rejected by AOL :( I am using qmail as the mail server. The configuration is: eth0 : cable connection ppp0 : adsl connection eth2 : internal lan connection I have configured split access as

Hi, I find this diagram which details the kernel packet traveling : http://www.docum.org/docum.org/kptd/ Is it up to date ? I made some test and I put a DNAT rules in the PREROUTING table of an interface and I attach it a ingress policy, the dst IP wasn''t changed. the DNAT it isn''t yet make. I''ve another question (I''m not sure is it the good mailing list), for the...

Hi, I configured a router box to use 2 providers, as described in the HOWTO. (Apendix 1) I want to use both links to reach a single smtp server. As I read in the kptd and in some old messages of this list, doing a SNAT in the postrouting chain comes _after_ the routing desision. So I guess the following lines I''m trying to use are wrong. (See Apendix 1) What can I do to have multiple connection to the same IP to use both links? Do the following lines...

Hi All, I did a google search on this and didn''t find exactly what I was looking for. Suppose I have a machine that has an IP alias eth0:0. I have set up HTB.init so that it properly throttles bandwidth on eth0, however when I use eth0:0, it doesn''t work. I read elsewhere that it should work at the PHYSICAL device layer, and should therefore work for both at once. This is not

Hi! I am learning tcng without having experiance of tc and I am trying to build something that shall schedule traffic dependent on the value in the IPv4 packets ip_ttl field. I have read the tcng reference manual and cannot find information about forwarding. Is it possible to farward packets from ingress to egress without sending them upwards in layers?

Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private & public NICs) ? Are tc filter rules consulted before or after NATing? My real interest is in basic understanding first, and then solving a real problem second. Example: Firewall Public NIC 123.123.123.1 Firewall Private NIC 192.168.168.1 Dedicated Video

Hello all, I need a virtual firewall/router solution. I''m thinking of a netscreen 1000 but I want to know if it can be done in Linux. Here is my idea: 1 Linux box 2 GigE interfaces 1 interface setup with a public IP address ($PUBIP) 1 interface setup with 802.1q VLAN trunking with 100 vlans assigned ($VLAN1-$VLAN100) a /25 subnet routed to $PUBIP from my core routers All $VLAN

...raffic done by clients connected to it, shaping is done on the interface connected to the cable/dsl modem. If I wanted to create classes for every client on the network, I would have to use iptables to mark packets (using -j MARK) and not filters because, according to http://www.docum.org/docum.org/kptd/ the shaping is done after the SNAT, so all the clients would have the src address rewritten with the public IP. Am I getting this right? 2) shaping inbound traffic is tricky because you can''t control the rate that the packets come to you. Is it a good idea to shape the outgoing traffic to...

Been running this for quite a while and noticed that have intermittent problems getting out. Find that if I ping the same site from 2 computers it may work on one and fail on the other. Also was surprised that some time they are going out different interfaces at the same time. Seems to work all the time from the firewall. Running 2.6.10 kernel with the multipath routing patches on a debian

I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP''s. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1

Hi, we r using HTB algorithm,for traffic shaping, we are facing a problem. we are able to create multiple classes,filters. But when we delete 1 filter all filter gets deleted. how do we avoid that. waiting for you reply Regards Jayesh ------------------------------------------------- Shop & Save at Sifymall.com! Special Festive Offers - up to 60% off on DVD players, MP3 Players. Mobile

...quot;ip addr > show" will display all IP addresses active on a given interface. > > Traffic control is the last thing performed before turning the packet > over to the device driver and hardware. Similarly, it is the first > thing called on receipt of a packet. See diagrams KPTD [0] and > ebtables packet flow [1]. > > In this case, you can use any number of techniques to identify the > packets with tc tools based on their IP addresses--the convenience of > the aliased interface naming is simply an obstruction of the real path > the packet takes. >...

Hi. I understand that device aliases (e.g. eth2:3) are not shapeable. Does anybody know if this functionality is planned in the future? Anyway, for the time being the only option that seems to leave is to fwmark packets differently for each device alias and then shape based on that. Is it possible to set multiple marks on the packets? Alternatively, is it possible to check for a specific

I''m playing with the rather excellent QOS script from Alexander Clouter at http://digriz.org.uk/jdg-qos-script/ So far I am really impressed with it - a very impressive example of the power of linux QOS rules (has pretty much everything in it from the LARTC Howto!) However, the instructions hint that "for QoS to affect locally generated traffic in a non ethernet bridge setup

This is more of a NF question but it is tightly related to LARTC as well. In the following example: -t mangle -A PREROUTING -i eth0 -j MARK 0x1 .... -t mangle -A INPUT -i eth0 -j MARK 0x2 Since MARK is a non-terminatring target, what would be the resulting mark on a packet comming from the outside and destined for a local process? Thanks P.S. I agree, the example looks stupid, but on the

...a convention from the old days of IP aliasing to have names like eth0:0. > The IP exists and is active on an interface, eth0 in your case. > The short answer is "no". Traffic control occurs just prior to the release of the packet for transmission by the hardware driver. See the KPTD [0]. > > You can however select packets based on many characteristics, so you may be able to accomplish what you need. You''ll use characteristics other than the > label "eth0:0". Hi guys, I have this problem too. I have two Internet routers connected to the same Ethe...

Hi all I''m sure you have heard this before but sorry.I wrote a script once and never looked at it again.An as my luck will have it I need it now and it is gone.I''m trying my best to rewrite it:-( My 1st question is: If my server is a gateway and I''m marking packets for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD rules in iptables And If I