From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Rabbitson Date: Wed, 09 May 2007 16:33:15 +0000 Subject: Re: [LARTC] Load balancing using connmark Message-Id: <4641F7CB.3000209@rabbit.us> List-Id: References: <1178722806.7492.55.camel@vulcan.aspl> In-Reply-To: <1178722806.7492.55.camel@vulcan.aspl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Francis Brosnan Blazquez wrote: > Hi, >=20 > I've been implementing a load balancing solution using CONNMARK, based > on solution described by Luciano Ruete at [1]. Gracias por el post y por > apuntar en la direcci=C3=B3n correcta Luciano! >=20 > Once implemented, I've found that due to some reason packets aren't > properly marked (or improperly remarked) and sent out using the wrong > interface.=20 >=20 > >=20 > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT=20 > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the time you do your marks and stuff the kernel has _already_ assigned a packet to an interface, and you can not alter this anymore. > After a bit of testing with the second solution, it seems to behave > better, doing all marking job at the PREROUTING and OUTPUT. This is flawed too. OUTPUT suffers from the very same problem as POSTROUTING - by the time the packets hit the NF stack the process has already bound itself to an interface, which you can not change anymore. Peter _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc