I’ve been reading the docs and wiki and I think I understand correctly that there is an order of mangle chain processing, but I’m not sure how these go in order: Prerouting, Input, Forward, Output, Postrouting.
The reason I’m asking is here’s what I’d like to do. First I want to process the traffic with mangle rules to add packet marks according to MAC addresses (marking traffic from certain MAC addresses “users1”, traffic from other MAC addresses “users2”), then send “users1” traffic directly to the queues with no more mangle actions, but take “user2” traffic and do bandwidth management by using mangle rules based on ports and L7 so I can feed that data into certain queues based on packet marks.
I’d like to understand the order of traffic flow through the chains better. Does all traffic pass all five chains unless there is a jump?
Another question which I think is still on topic is can one have multiple mangle rules with “passthrough” checked in a given chain that the traffic will pass through all of them (if it qualifies of course). For example, could I do all I want above with just one chain using passthrough? Using all forward chain rules for example, at the top of the list of rules have the MAC address based rules that would add the appropriate connection marks, and then lower down on the forward chain rules have the port/L7 bases rules which would add packet marks? What’s the best way as far as operation and also understandability (being able to look at the rules and know what’s going on)?
All packets go through prerouting, then through either input, output or forward depending on whether they’re directed directly at the router, are generated by the router or are flowing through the router, and then go through postrouting. A packet will never go through more than one of input, output and forward, prerouting does the destination NAT which might change the chain that the packet will go through (but it hasn’t yet), postrouting does the source NAT and the chains have already been processed.
Thanks so much! Is there someplace that describes the connection between input, output and forward and whether or not the packet is directed directly at the router, are generated by the router or are flowing through the route? I’d like to know if my packets are going to be where my rules are.
Right now I’m using the MAC address based rules in the prerouting and then the port/L7 based rules in forward. Does that sound right? Will the stuff I tag in prerouting pass through forward or might it go another way?
Is it better to do it all in one chain with passthrough?