NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

altq filter acts before or after npf NAPT?

Consider a NetBSD 9.0 (release) system using both npf and altqd. This
machine has two NICs and it is a gateway. First NIC is connected to a
LAN, with multiple hosts, and second NIC is connected to the modem.
With npf, the following is applied:

map $if_second_nic dynamic $internal_lan -> $second_nic_ipv4

This is a NAPT, so when a packet from a LAN host is outgoing from the
second NIC, its source address is mapped into the second NIC's IP.

One of the few (or maybe the only) examples about altqd configuration
is here:


It creates this filter:

filter bge0 high_class 0 0 0 0 17

where the third `0' means `any source IP address'. Assume that bge0 is
the second NIC. This is for packets outgoing from it.

Does altqd act:
1) before
2) after npf?

Because in case 1) the `source IP address' will be the one of the LAN
hosts who generated the packet, which is the real source IP address of
that packet.
Instead, in case 2), any packet outgoing from bge0 will always have
bge0's IP address, thus making impossible any source IP distinction
between the packets in this filter.
Does anyone know which is the case?


Home | Main Index | Thread Index | Old Index