NAT interferes with traffic control - Networking

This is a discussion on NAT interferes with traffic control - Networking ; I have tc rule that matches the source address. But it doesn't work on masqueraded connections - I guess since the source address is re-written to be that of the router itself (this is all on a single router host). ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: NAT interferes with traffic control

  1. NAT interferes with traffic control

    I have tc rule that matches the source address. But it doesn't work on
    masqueraded connections - I guess since the source address is re-written
    to be that of the router itself (this is all on a single router host).

    I would like to match the source address before it is changed by nat.
    Can I put -j MASQUERADE target in a different chain or something? Or do
    I have to resort to "marking" packets?


    >> tc filter add dev eth3 parent 2: protocol ip prio 10 u32 \

    match ip src 10.0.0.8 flowid 2:1

    >> iptables -t nat -A POSTROUTING -s 10.0.0.8 -j MASQUERADE


    >> grep 10.0.0.8 /proc/net/ip_conntrack

    udp 17 176 src=10.0.0.8 dst=69.59.242.89 sport=5061 dport=10000
    packets=1276 bytes=926980 src=69.59.242.89 dst=10.0.0.3 sport=10000
    dport=5061 packets=1273 bytes=489462 [ASSURED] mark=0 use=1

    >> uname -r

    2.6.24-gentoo-r8



    As a workaround I am simply nat'ing all packets not destined for the
    lan, any disadvantages to that?

    >> iptables -t nat -A POSTROUTING -d ! 10.0.0.0/8 -j MASQUERADE


  2. Re: NAT interferes with traffic control

    You may use FWMark and the Netfilter/IPTables' mangle table.

    See this link for more information: http://lartc.org/lartc.html#LARTC.NETFILTER

    IMHO, It's the best guide on traffic control.

+ Reply to Thread