From: Philip Craig <philipc@snapgear.com>
To: Alpt <alpt@freaknet.org>
Cc: netsukuku@freaknet.org, netfilter@lists.netfilter.org
Subject: Re: Multiple inet gw and multipath
Date: Wed, 01 Mar 2006 15:35:54 +1000 [thread overview]
Message-ID: <440532BA.40009@snapgear.com> (raw)
In-Reply-To: <20060301045503.GA7482@nihil>
On 03/01/2006 02:55 PM, Alpt wrote:
> We have multiple gw. When a new connection is established through a gw,
> all the packets belonging to the same connection must be sent through the
> same gw.
> We cannot use the source routing method since all the IFs use the same IP,
> thus in order to accomplish this we have to:
> mark with the same id all the packets which belong to the same
> connection.
> Each connection has to have a different mark in order to go through
> different gateways.
>
> A simple idea is to assign a mark to each tunnel (outgoing IF), and
> when a new connection is created through a specific tunnel, all the outgoing
> packets of the connection are marked with the same id. But how?
>
> Another idea is to conntrack the connection and marking the packets with a
> 4bit number which is the hash of the destination IP. Probably this requires a
> new netfilter extension.
Why the destination IP?
It should work if you just mark the connection with the same mark
you use for the route tables. Some untested rules:
# Save the gateway in the connection mark for new outgoing connections
iptables -t mangle -A POSTROUTING -o eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x4
iptables -t mangle -A POSTROUTING -o eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x8
# Save the gateway in the connection mark for new incoming connections
iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x4
iptables -t mangle -A PREROUTING -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x8
# Use the correct gateway for reply packets from the LAN
iptables -t mangle -A PREROUTING -i eth2 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
# Use the correct gateway for reply packets from local connections
iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
next prev parent reply other threads:[~2006-03-01 5:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-28 23:06 Multiple inet gw and multipath Gary W. Smith
[not found] ` <57F9959B46E0FA4D8BA88AEDFBE582901673AA-pXpRIbuYcI+xSBpebk8nUM8lm8qNBeZ/JUWSQBdlaSk@public.gmane.org>
2006-03-01 4:55 ` Alpt
2006-03-01 5:35 ` Philip Craig [this message]
[not found] ` <440532BA.40009-XXXsiaCtIV5Wk0Htik3J/w@public.gmane.org>
2006-03-02 2:38 ` Alpt
-- strict thread matches above, loose matches on Subject: below --
2006-02-28 21:44 Alpt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=440532BA.40009@snapgear.com \
--to=philipc@snapgear.com \
--cc=alpt@freaknet.org \
--cc=netfilter@lists.netfilter.org \
--cc=netsukuku@freaknet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.