Question about nth matching

Question about nth matching

[linux]

Hi,

I am using the nth patch to perform load balancing for outgoing traffic, specifically these are packets that are generated on the firewall itself (not forwarded traffic).

In order to do this I have used ip route 2 to set up two different routing tables, then I use netfilter to set the MARK so that alternate packets are sent to alternate links.

In order to do this I use the following rules:

iptables -t mangle -A OUTPUT -d 10.1.1.1 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 -j MARK --set mark 2

Using the above rules everything appears to be fine, however this style can get messy if you have more than two links so I tried to use the following style:


iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 --packet 0 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 --packet 1 -j MARK --set-mark 2

This does not work (it appears that neither mark is set - although I am not certain of this).

Can anyone point me in the right direction in order to get the second case working?

TIA,
David

Notes:
Kernel 2.4.20
Iptables 1.2.7a

Both the kernel and iptables have had a few patches applied although I don’t think this is the cause of the problem.

I have read that sending alternate packets over different links is not always a good idea because it can lead to packets arriving at the destination host in the wrong order. I have been told that this is not a problem for Linux, but some other OS don’t like it, so I have restricted the balancing rules to a host that I know runs Linux.
This is the reason for the –d 10.1.1.1 (on my firewall 10.1.1.1 is replaced with the real IP).

Question about Nth matching

[David Trott]

Hi,

I am using the nth patch to perform load balancing for outgoing traffic, specifically these are packets that are generated on the firewall itself (not forwarded traffic).

In order to do this I have used ip route 2 to set up two different routing tables, then I use netfilter to set the MARK so that alternate packets are sent to alternate links.

In order to do this I use the following rules:

iptables -t mangle -A OUTPUT -d 10.1.1.1 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 -j MARK --set mark 2

Using the above rules everything appears to be fine, however this style can get messy if you have more than two links so I tried to use the following style:

iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 --packet 0 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 10.1.1.1 -m nth --every 2 --packet 1 -j MARK --set-mark 2

This does not work (it appears that neither mark is set - although I am not certain of this).

Can anyone point me in the right direction in order to get the second case working?

TIA,
David

Notes:
Kernel 2.4.20
Iptables 1.2.7a

Both the kernel and iptables have had a few patches applied although I don’t think this is the cause of the problem.

I have read that sending alternate packets over different links is not always a good idea because it can lead to packets arriving at the destination host in the wrong order. I have been told that this is not a problem for Linux, but some other OS don’t like it, so I have restricted the balancing rules to a host that I know runs Linux.
This is the reason for the –d 10.1.1.1
(In the real rules 10.1.1.1 is replaced with a real IP address).