From: Neal Becker <ndbecker2@gmail.com>
To: netfilter@vger.kernel.org
Cc: fedora-list@redhat.com
Subject: RE: policy based routing question
Date: Thu, 06 Dec 2007 06:33:03 -0500 [thread overview]
Message-ID: <fj8mlf$9ia$1@ger.gmane.org> (raw)
In-Reply-To: BAY119-W11F48CE40651F810C15CBD66F0@phx.gbl
Andrew Kraslavsky wrote:
>
>> I'm interested in implementing policy based routing on a system with
>> multiple interfaces. I'd like to use some kind of classifier to determine
>> the type of traffic associated with a packet. I know iptables/mark + ip
>> route can be used to classify packets by port #, but that isn't always
>> sufficient.
>>
>
> Perhaps I have misunderstood your question but...all of the matches that
> are valid/meaningful in the mangle table's PREROUTING chain are at your
> disposal!
>
> For example, assuming you define advanced routing rules that use mark 0x01
> for your primary interface and mark 0x02 for your secondary interface and
> you wanted all outgoing HTTP traffic fron local subnet 192.168.10.0/24 to
> go out your primary interface and you wanted all outgoing HTTP traffic
> from local subnet 192.168.20.0/24 to go out your secondary interface you
> could use:
>
> iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -p tcp --dport 80 -j
> MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -s 192.168.20.0/24
> -p tcp --dport 80 -j MARK --set-mark 0x02
>
> The appropriate matches to use would of course depend on what your
> interests are (classify by source IP address? source MAC address? input
> interface? destiantion port? etc...).
>
> Putting it another way, beyond port number and the examples listed above
> or all that is covered on the iptables man page, what kind of
> classification are you after?
>
Having done a bit more research, I think what I'm interested in is L7. Now
what I'm trying to figure out is what is needed for L7 userspace on fedora
f8 kernel.
I have kernel-2.6.23.8-63.fc8.x86_64. According to
http://l7-filter.sourceforge.net/HOWTO-userspace
I need to figure out if fedora f8 kernel has "Layer 3 Dependent Connection
tracking (OBSOLETE)". Looking
in /lib/modules/2.6.23.8-63.fc8/build/.config I don't see anything that
obviously corresponds to this.
If I just try anyway, it doesn't seem to work:
sudo /sbin/modprobe -v ip_conntrack_netlink
insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/ipv4/netfilter/nf_nat.ko
insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/netfilter/nf_conntrack_netlink.ko
[nbecker@nbecker1 l7-filter-userspace-v0.4]$ /usr/bin/l7-filter --help
***WARNING***
The ip_conntrack_netlink module does not appear to be loaded.
Unless you have it compiled into your kernel, please load it
and run l7-filter again.
next prev parent reply other threads:[~2007-12-06 11:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-06 2:19 policy based routing question Neal Becker
2007-12-06 3:41 ` FTP Wierdness Toby Chamberlain
2007-12-06 3:43 ` policy based routing question Andrew Kraslavsky
2007-12-06 11:33 ` Neal Becker [this message]
2007-12-06 11:43 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='fj8mlf$9ia$1@ger.gmane.org' \
--to=ndbecker2@gmail.com \
--cc=fedora-list@redhat.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.