Impact of QoS change to FORWARD chain

Firstly a big thank you to whomever added this comment to the Wiki!

In its default state, IPFire’s QoS configuration sets the IMQ_MODE to “PREROUTING.” Due to this, local IP addresses cannot be used to define downstream rules, as the QoS operates on the RED interface, which is processed before NAT. If you find it necessary to use local IP addresses in your downstream rules, you can’t change this via a settings file. Instead, you’ll need to manually edit the Perl script located at /var/ipfire/qos/bin/makeqosscripts.pl. In this script, modify the iptables entry to place the mangle table in the “FORWARD” chain, as opposed to the default “PREROUTING” chain.

I have a media device which (aside from patching its OS) only uses the internet for streaming media. I’d like all its traffic to be put in a specific QoS class for downloads. However because IPFire filters on the PREROUTING chain rather than the FORWARD chain, this isn’t possible by default.

• What would be the impact of changing the makeqosscripts.pl script so QoS used the FORWARD chain instead please?

IPFire must have been configured to use PREROUTING For a reason.

Thank you!

I made a QoS class for my server.
To limit its max bandwith.

Does anyone know why the QoS configuration uses the PREROUTING chain for traffic coming in (down) rather than the FORWARD chain please?

I expect it’s either a performance or security thing or both. I was hoping to have this clarified as if the risk or performance impact is low, then I’ll change mine to use the FORWARD chain to more easily identify traffic. I’ll also add an explanatory note to the Wiki.

Thank you!