From: Thomas Jacob <jacob@internet24.de>
To: Lloyd Standish <lloyd@crnatural.net>
Cc: netfilter@vger.kernel.org
Subject: Re: still can't route using fwmark
Date: Mon, 20 Apr 2009 21:26:01 +0200 [thread overview]
Message-ID: <20090420192600.GB1158@internet24.de> (raw)
In-Reply-To: <op.usoy1zlxx1lyi3@localhost>
On Mon, Apr 20, 2009 at 09:38:13AM -0600, Lloyd Standish wrote:
> Thomas, somehow I had the erroneous idea that ALL packets, even those originating at the local machine, go through PREROUTING. I finally understand now why I need the OUTPUT statements. As soon as I added those, the load balancing started to work!
Great
> # restore the fwmark on packets that belong to an existing connection
> # this prerouting stuff would only be for connections initiated on the LAN
>
> iptables -A PREROUTING -i eth0 -t mangle -m state --state ESTABLISHED,RELATED -j RESTOREMARK
This is too restrictive, drop the -i eth0, your forwarded packets from the internet
will not arrive thru eth0 but still need a CONNMARK -> MARK restore.
> iptables -A PREROUTING -i eth0 -t mangle -m mark ! --mark 0 -j RETURN
> iptables -A PREROUTING -t mangle -j CONNMARK1
> iptables -A PREROUTING -t mangle -m statistic --mode nth --every 2 --packet 0 -j CONNMARK2
Otherwise you might assign a different mark again here, and that doesn't work
with NATed connections. Possibly you should also use -m state --state NEW to prevent
the marking stuff taking place on any other packets than the initial ones.
> Once this is working for LAN I want to try load balancing according the byte count of each interface, if that is possible.
Hmm, I don't see how to do this with out using some kind of script
that constantly checks the load of your links and then modifies iptables
rules accordingly. Don't forget that you are loadbalancing connections, not
individual packets. But maybe you can cook something up the recent match or
something, if you do, please keep the list posted ;)
Thomas
next prev parent reply other threads:[~2009-04-20 19:26 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-18 4:40 still can't route using fwmark Lloyd Standish
2009-04-18 8:23 ` Thomas Jacob
2009-04-18 17:12 ` Lloyd Standish
2009-04-18 18:48 ` Thomas Jacob
2009-04-18 19:33 ` Lloyd Standish
2009-04-18 20:58 ` Thomas Jacob
2009-04-18 21:49 ` Lloyd Standish
2009-04-19 9:00 ` Thomas Jacob
2009-04-20 5:56 ` Lloyd Standish
2009-04-20 8:48 ` Javier Gálvez Guerrero
2009-04-20 11:44 ` Thomas Jacob
2009-04-20 13:08 ` Javier Gálvez Guerrero
2009-04-20 13:37 ` Thomas Jacob
2009-04-20 15:15 ` Javier Gálvez Guerrero
2009-04-20 18:59 ` Thomas Jacob
2009-04-22 9:53 ` Javier Gálvez Guerrero
2009-04-22 10:01 ` Thomas Jacob
2009-04-20 11:09 ` Thomas Jacob
2009-04-20 12:25 ` Brian Austin - Standard Universal
2009-04-20 15:38 ` Lloyd Standish
2009-04-20 19:26 ` Thomas Jacob [this message]
2009-04-21 19:54 ` Lloyd Standish
2009-04-22 9:35 ` Thomas Jacob
2009-04-22 15:03 ` Lloyd Standish
2009-04-18 23:14 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090420192600.GB1158@internet24.de \
--to=jacob@internet24.de \
--cc=lloyd@crnatural.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox