I''m not sure if this can be done already, but is there a way to MARK packets in the INPUT chain of the mangle table? This is great for ingress traffic shaping for alias interfaces. I''d like to hear of any other ways to achieve this too.
On Thu, 1 May 2003 23:00:24 +0800, <kint@x-tincted.net> wrote:> I''m not sure if this can be done already, but is there a way to MARK > packets in > the INPUT chain of the mangle table? > > This is great for ingress traffic shaping for alias interfaces. I''d like > to > hear of any other ways to achieve this too.Why don''t you mark them in PREROUTING? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I tried this, but the packet count in the PREROUTING chain didn''t rise as fast as in INPUT chain. PREROUTING count increases by less than 10 while INPUT increases by more than 100 in the same timpspan. At this stage I''m simply feeding the packet count into RRDTool. On Thu, May 01, 2003 at 08:01:40AM -0700, Tom Eastep wrote:> On Thu, 1 May 2003 23:00:24 +0800, <kint@x-tincted.net> wrote: > > >I''m not sure if this can be done already, but is there a way to MARK > >packets in > >the INPUT chain of the mangle table? > > Why don''t you mark them in PREROUTING? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Maybe coz the mangling of the addresses hasn''t yet taken place in PREROUTING? I need to mark the incoming packets based on the alias IP. On Thu, May 01, 2003 at 11:27:39PM +0800, kint@x-tincted.net wrote:> I tried this, but the packet count in the PREROUTING chain didn''t rise as fast > as in INPUT chain. PREROUTING count increases by less than 10 while INPUT > increases by more than 100 in the same timpspan. > At this stage I''m simply feeding the packet count into > RRDTool. > > On Thu, May 01, 2003 at 08:01:40AM -0700, Tom Eastep wrote: > > On Thu, 1 May 2003 23:00:24 +0800, <kint@x-tincted.net> wrote: > > > > >I''m not sure if this can be done already, but is there a way to MARK > > >packets in > > >the INPUT chain of the mangle table? > > > > Why don''t you mark them in PREROUTING? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://www.shorewall.net > > Washington USA \ teastep@shorewall.net > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 1 May 2003 23:27:39 +0800, <kint@x-tincted.net> wrote:> I tried this, but the packet count in the PREROUTING chain didn''t rise as > fast > as in INPUT chain. PREROUTING count increases by less than 10 while INPUT > increases by more than 100 in the same timpspan. > At this stage I''m simply feeding the packet count into > RRDTool. >Better check that -- INPUT is a subset of PREROUTING. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 1 May 2003 23:36:06 +0800, <kint@x-tincted.net> wrote:> Maybe coz the mangling of the addresses hasn''t yet taken place in > PREROUTING? > I need to mark the incoming packets based on the alias IP. >The INPUT chain receives only part of the traffic from the PREROUTING chain. PREROUTING receives ALL packets; those destined for the firewall system itself are then passed to the INPUT chain while those destined for other hosts are passed to the FORWARD chain. The INPUT and FORWARD chains are traversed after DNAT occurs but before SNAT. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net