[Fwd: [LARTC] Re: iptables diagram

Ing. Pavel PaJaSoft Janousek janousek na fonet.cz
Čtvrtek Červen 20 08:52:14 CEST 2002


	Myslim ze tento prispevek ma velmi vysokou informacni hodnotu a muze se 
hodit spouste laborujicich adminu (zejmena velmi ucelne zobrazene schema 
routingu)... preposilam z konference LARTC... (Linux Advanced Routing...)

-------- Original Message --------
From: Leonardo Balliache <leoball na opalsoft.net>
  > Note also that after FORWARD there is no routing decision :)))

[snip]

Ok, but in FORWARD itself?

I read this in an article from Saravanan Radhakrishnan; the ** are mine.

"The basic principle involved in the implementation of QoS in linux is
shown in Figure 1. This figure shows how the kernel processes incoming
packets, and how it generates packets to be sent to the network. The
input de-multiplexer examines the incoming packets to determine if the
packets are destined for the local node. If so, they are sent to the
higher layer for further processing. If not, it sends the packets to the
forwarding block. ** The forwarding block, which may also received locally
generated packets from the higher layer **, looks up the routing table and
determines the next hop for the packet. After this, it queues the packets
to be transmitted on the output interface. It is at this point that the
linux traffic control comes into play. Linux traffic control can be used
to build a complex combination of queuing disciplines, classes and
filters that control the packets that are sent on the output interface."

                             +---------------+
                       +---->| TCP, UDP, ... |
                       |     +---------------+
                       |             |            TRAFFIC CONTROL
                       |             v                  |
     +---------------------+   +------------+   +----------------+
-->|Input de-multiplexing|-->| Forwarding |-->| Output queuing |-->
     +---------------------+   +------------+   +----------------+

                                 Figure 1

An another article from Werner Almesberger, Jamal Hadi Salim and
Alexey Kuznetsov says:

""Forwarding" includes the selection of the output interface, the selection
of the next hop, encapsulation, etc. Once all this is done, packets are
queued on the respective output interface. This is the point where traffic
control comes into play. Traffic control can, among other things, decide
if packets are queued or if they are dropped (e.g. if the queue has reached
some length limit, or if the traffic exceeds some rate limit), it can decide
in which order packets are sent (e.g. to give priority to certain flows),
it can delay the sending of packets (e.g. to limit the rate of outbound
traffic), etc."

With all this info I'm trying an improved diagram:


                                     Network
                             -----------+-----------
                                        |
                                +-------+------+
                                |    mangle    |
                                |  PREROUTING  | <- MARK REWRITE
                                +-------+------+
                                        |
                                +-------+------+    Policy rule database
                                |     PRDB     | <- controlled by ip rule
                                +-------+------+
                                        |
                                +-------+------+
                                |      nat     |
                                |  PREROUTING  | <- DEST REWRITE
                                +-------+------+
                                        |
                 packet is for  +-------+------+ packet is for
                 this address   |     INPUT    | another address
                 +--------------+    ROUTING   +---------------+
                 |              +--------------+               |
         +-------+------+                                      |
         |    filter    |                                      |
         |    INPUT     |                                      |
         +-------+------+                                      |
                 |                                             |
         +-------+------+                                      |
         |    Local     |                                      |
         |   Process    |                                      |
         +-------+------+                                      |
                 |                                             |
         +-------+------+                                      |
         |    OUTPUT    |                              +-------+-------+
         |    ROUTING   |                              |    filter     |
         +-------+------+                              |    FORWARD    |
                 |                                     +-------+-------+
         +-------+------+                                      |
         |    mangle    |                                      |
         |    OUTPUT    | MARK REWRITE                         |
         +-------+------+                                      |
                 |                                             |
         +-------+------+                                      |
         |     nat      |                                      |
         |    OUTPUT    | DEST REWRITE                         |
         +-------+------+                                      |
                 |                                             |
         +-------+------+                                      |

         |    filter    |                                      |
         |    OUTPUT    |                                      |
         +-------+------+                                      |
                 |                                             |
                 |                                             |
                 +----------------+       +--------------------+
                                  |       |
                                  |       |
                               +--+-------+---+
                               |              | selection of the output
interface,
                               |  FORWARDING  | selection of the next hop,
                               +-------+------+ encapsulation, etc.
                                       |
                                       |
                               +-------+------+
                               |     nat      |
                               | POSTROUTING  | SOURCE REWRITE
                               +-------+------+
                                       |
                                       |
                               +-------+------+
                               |   TRAFFIC    |
                               |    QUEUE     | <- controlled by tc
                               +-------+------+
                                       |
                                       |
                            -----------+-----------
                                    Network

I use these tools: iproute2, iptables, cipe, lvs and tc. It would be very
pedagogyc to have a diagram showing how a packet transverse the kernel and
which tool controls each block of the diagram.

Thanks a lot for your explanation; also excuse because I'm bother you.

Best regards,

Leonardo Balliache

_______________________________________________
LARTC mailing list / LARTC na mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

-----------------------------------------------------------------------
Ing. Pavel Janousek (PaJaSoft)                 FoNet, spol. s r. o.
Vyvoj software, Intranet / Internet          Sokolova 67, 619 00 Brno
E-mail: mailto:Janousek na FoNet.Cz             Tel.: +420  5  4324 4749
SMS:    mailto:P.Janousek na SMS.Paegas.Cz      Fax.: +420  5  4324 4751
WWW:    http://WWW.FoNet.Cz/               E-mail: mailto:Info na FoNet.Cz
-----------------------------------------------------------------------



Další informace o konferenci Linux