On Fri, 2007-08-17 at 17:48 +0300, alex wrote: > >> Accordingly this advice from 'traffic_shaping.htm': > >> > >> Normally, packet marking occurs in the PREROUTING chain before any > >>address > >> rewriting takes place. This makes it impossible to mark inbound packets > >> based on their destination address when SNAT or Masquerading are being > >> used. You can cause packet marking to occur in the FORWARD chain by > >>using > >> the MARK_IN_FORWARD_CHAIN option in shorewall.conf. > >> > >> i MUST use 'MARK_IN_FORWARD_CHAIN=Yes' or ':F' suffix in a lot of > >> rules > >> in 'tcrules' if i use NAT/SNAT (configured in 'masq' file) and want to > >>use > >> internal (private) IP-addresses (or networks) in 'tcrules'. > >> Do i correct understand? > > > > The only time where the above applies is if you want to mark incoming > > traffic by its destination IP and you are SNAT/Masquerading. > > Destination address is local (not external) IPs? > And i can want this only for tc-rules for external interface. > Am i right?
If the destination address is LOCAL, then the traffic is going out of the LOCAL interface. So this would only apply if you are shaping the LOCAL interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
