Community discussions

MUM Europe 2020
 
User avatar
Edoras
newbie
Topic Author
Posts: 32
Joined: Wed Apr 05, 2006 12:03 am
Location: Prague, Czech rep.

Mark packet for queue-tree shaping, combined with masquerade

Thu Aug 09, 2007 11:52 pm

I have Internet gateway. On that computer I want to make masquerade and trafic shaping together.

At the 1st version of firewall I mark packets in new chain:
1st 2 lines make jump to one of two chains
In every chain I marked connection and then mark packet.
Finally I made masquerade.
(I have created in queue-tree queue for packet mark 10.89.90.100)
ip firewall mangle add chain=prerouting src-address=10.89.0.0/16 action=jump jump-target=qos_out
ip firewall mangle add chain=prerouting dst-address=10.89.0.0/16 action=jump jump-target=qos_in
ip firewall mangle add chain=qos_out src-address=10.89.90.100 action=mark-connection new-connection-mark=10.89.90.100 passthrough=yes
ip firewall mangle add chain=qos_out connection-mark=10.89.90.100 action=mark-packet new-packet-mark=10.89.90.100 passthrough=no
ip firewall mangle add chain=qos_in dst-address=10.89.90.100 action=mark-connection new-connection-mark=10.89.90.100 passthrough=yes
ip firewall mangle add chain=qos_in connection-mark=10.89.90.100 action=mark-packet new-packet-mark=10.89.90.100 passthrough=no
ip firewall nat add chain=srcnat src-address=10.89.0.0/16 dst-address=!10.89.0.0/16 action=masquerade
It works very strange and user was not limited by the queue.
Then I experimented and I did very easy thing ... I moved the rules for packet-mark out from the chain "qos_in" and "qos_out" and placed them directly to chain "prerouting".
ip firewall mangle add chain=prerouting src-address=10.89.0.0/16 action=jump jump-target=qos_out
ip firewall mangle add chain=prerouting dst-address=10.89.0.0/16 action=jump jump-target=qos_in
ip firewall mangle add chain=qos_out src-address=10.89.90.100 action=mark-connection new-connection-mark=10.89.90.100 passthrough=yes
ip firewall mangle add chain=qos_in dst-address=10.89.90.100 action=mark-connection new-connection-mark=10.89.90.100 passthrough=yes
ip firewall mangle add chain=prerouting connection-mark=10.89.90.100 action=mark-packet new-packet-mark=10.89.90.100 passthrough=no
ip firewall nat add chain=srcnat src-address=10.89.0.0/16 dst-address=!10.89.0.0/16 action=masquerade
And it works corectly.
My question is, WHY???
Why I can not have the mark connection rule placed in new chain, why it must be placed directly in the prerouting chain? Or did I any other mistake?

Who is online

Users browsing this forum: No registered users and 118 guests