* Multiple mangling
@ 2013-11-11 20:45 Nikolai Lusan
2013-11-13 16:07 ` Humberto Jucá
0 siblings, 1 reply; 2+ messages in thread
From: Nikolai Lusan @ 2013-11-11 20:45 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
Greetings all,
I am at the point in writing my "new and improved"(tm) firewall where I
am adding QoS. I am marking the packets in the MANGLE table with DSCP
values, but I also want to mark packets again so that my iproute2 qdiscs
can have an easier time handling them. This requires that I mark the
packets twice (i.e. once with "-j DSCP --set-dscp-class AF32", and again
with "-j MARK --set-mark 6").
The question is: can I do this with consecutive rules in the MANGLE
table? What is the behaviour once a packet has matched a rule in one of
the MANGLE table chains? Does it continue to drop through? Does it
effect a RETURN?
Thanks in advance.
--
Nikolai Lusan <nikolai@lusan.id.au>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Multiple mangling
2013-11-11 20:45 Multiple mangling Nikolai Lusan
@ 2013-11-13 16:07 ` Humberto Jucá
0 siblings, 0 replies; 2+ messages in thread
From: Humberto Jucá @ 2013-11-13 16:07 UTC (permalink / raw)
To: Nikolai Lusan, netfilter
Hi,
The DSCP and CONNMARK/MARK targets are not decisive.
The last rule processing determines what will be done with the packet.
Both controls can coexist.
The markings (MARK) are made internally (by conntrack) - its a local
control (only your kernel works with this).
And the DSCP is set in the IP header (in the address space of the TOS).
Thus, other routers on the network can open the ip packet and identify
the DSCP value that you set.
2013/11/11 Nikolai Lusan <nikolai@lusan.id.au>:
> Greetings all,
>
> I am at the point in writing my "new and improved"(tm) firewall where I
> am adding QoS. I am marking the packets in the MANGLE table with DSCP
> values, but I also want to mark packets again so that my iproute2 qdiscs
> can have an easier time handling them. This requires that I mark the
> packets twice (i.e. once with "-j DSCP --set-dscp-class AF32", and again
> with "-j MARK --set-mark 6").
>
> The question is: can I do this with consecutive rules in the MANGLE
> table? What is the behaviour once a packet has matched a rule in one of
> the MANGLE table chains? Does it continue to drop through? Does it
> effect a RETURN?
>
>
> Thanks in advance.
> --
> Nikolai Lusan <nikolai@lusan.id.au>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-13 16:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-11 20:45 Multiple mangling Nikolai Lusan
2013-11-13 16:07 ` Humberto Jucá
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.