[LARTC] loadbalancing multipath routing frequently freezes udp

From: Peter Warasin <peter@endian.it>
To: lartc@vger.kernel.org
Subject: [LARTC] loadbalancing multipath routing frequently freezes udp
Date: Mon, 30 Jan 2006 16:22:35 +0000	[thread overview]
Message-ID: <43DE3D4B.6020700@endian.it> (raw)

hi

i recently searched in the mailinglist archive and found similar
problems, whose solutions helped very much, thank you.

i have the following scenario:

a firewall with one lan interface
eth0 10.1.1.1/24
and two uplink interfaces
eth1 10.2.2.1/24
eth2 10.3.3.1/24

each uplink interface does SNAT:
iptables -t nat -I POSTROUTING -o eth1 -j SNAT --to-source 10.2.2.1
iptables -t nat -I POSTROUTING -o eth2 -j SNAT --to-source 10.3.3.1

i set up loadbalancing multipath routing as described in the howto.
then i had the well mentioned problem that established connections leave
the wrong interface after the routing cache clears.

i solved this using the CONNMARK target, marking connections which left
one interface and directing those packages always to the same interface
using the approrpiate ip rule fwmark entry. but this works only for tcp.
udp connections (like an openvpn connection) frequently freeze. it seems
that udp packages still leave the wrong interface after a routing cache
clear.

any ideas?
do i have something wrong with the iptables mangle rules?

i used the following commands:

ip rule add prio 200 from 10.2.2.0/24 table 200
ip rule add prio 200 fwmark 200 table 200
ip route add 10.2.2.0/24 dev eth1 proto static table 200
ip route add default via 10.2.2.100 proto static table 200

ip rule add prio 201 from 10.3.3.0/24 table 201
ip rule add prio 201 fwmark 201 table 201
ip route add 10.3.3.0/24 dev eth2 proto static table 201
ip route add default via 10.3.3.100 proto static table 201

ip route add default scope global nexthop via 10.2.2.100 dev eth1
nexthop via 10.3.3.100 dev eth2

# contains MARK rules for connection initiations coming from the outside
#(portfw)
iptables -t mangle -N INCOMINGMARK

# contains MARK rules for connection initiations coming from the inside
# routed by multi path routes
iptables -t mangle -N OUTGOINGMARK

# contains MARK rules for connection initiations coming from the inside
# forced by user configuration to leave through a specific uplink
iptables -t mangle -N OUTGOINGCUSTOMMARK

iptables -t mangle -A POSTROUTING -j OUTGOINGMARK -m state --state NEW
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark -m state
--state NEW -m mark ! --mark 0

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -j OUTGOINGCUSTOMMARK -m state --state NEW
iptables -t mangle -A PREROUTING -j INCOMINGMARK -m state --state NEW

iptables -A INCOMINGMARK -i eth1 -j MARK --set-mark 200
iptables -A OUTGOINGMARK -o eth1 -j MARK --set-mark 200

iptables -A INCOMINGMARK -i eth2 -j MARK --set-mark 201
iptables -A OUTGOINGMARK -o eth2 -j MARK --set-mark 201

thank you in advance, any help would be greatly appreciated

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.it   :: peter@endian.it
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc