From: "Gáspár Lajos" <swifty@freemail.hu>
To: "Usuário do Sistema" <maiconlp@ig.com.br>
Cc: Andrew Beverley <andy@andybev.com>,
Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: fail in the connmark load-balancing
Date: Mon, 05 Mar 2012 14:34:48 +0100 [thread overview]
Message-ID: <4F54C0F8.2080700@freemail.hu> (raw)
In-Reply-To: <CAMTjHrwpNfbA-a6WUh1OV8G=-BHAX3ONHYtsBT3apM-f-pGsmg@mail.gmail.com>
Hi,
Let me explain my post a bit :D
2012-03-02 22:24 keltezéssel, Usuário do Sistema írta:
> Hi,
>
> iptables -t mangle -N MARKS
> iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
If we have a mark (either 1 or 2 or 3) then we should just RETURN
because we already set the mark...
> iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state
> ESTABLISED,RELATED
If the connection is already ESTABLISHED or it is RELATED to an another
connetion then just mark it as 3.
> iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3
> -m mode statistic --mode nth --every 2
Every 2nd. connection should be marked as 2.
> iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
Every other connection is marked as 1.
> sorry, but I did understand the mark x/y as you wrote above. why did
> you use --set-mark 1 or --set-mark 2 ??
x is the mark, y is the mask...
0 -> not marked -> new or already establised but not marked (see mark 3)
1 -> new connection that should go out on interface 1.
2 -> new connection that should go out on interface 2.
3 -> any other but marked so we do not check again. (ESTABLISED, RELATED)
> I think when it's use the mark x/y y is an mask but I'dont know what
> is the match ?!?! with someone has a doc about that please post here.
man iptables (MARK target):
--set-mark value[/mask]
Zeroes out the bits given by mask and ORs value into the
packet mark. If mask is omitted, 0xFFFFFFFF is assumed.
> I haven't done test yet with your suggested Swifty. I'll tell you when I do.
>
> thanks
After reading my post I found out that my script can be fine tuned ... :D
In mangle/PREROUTING change these lines:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS
to this:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARK --set-mark 1/3 -m mark --mark
0/3 -i eth2
iptables -t mangle -A PREROUTING -j MARK --set-mark 2/3 -m mark --mark
0/3 -i eth0
iptables -t mangle -A PREROUTING -j MARKS
This modification ensures that any incoming connection (that either goes
to the firewall or gets FORWARDED) should take the same interface as it
came from.
Swifty
prev parent reply other threads:[~2012-03-05 13:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-11 20:19 fail in the connmark load-balancing Usuário do Sistema
2012-02-12 22:10 ` Andrew Beverley
2012-02-13 11:19 ` Usuário do Sistema
2012-02-13 22:03 ` Usuário do Sistema
2012-02-25 10:53 ` Andrew Beverley
2012-02-27 16:40 ` Usuário do Sistema
2012-02-27 17:07 ` Usuário do Sistema
2012-02-27 18:15 ` Usuário do Sistema
2012-02-28 11:16 ` Gáspár Lajos
2012-03-02 21:24 ` Usuário do Sistema
2012-03-05 13:34 ` Gáspár Lajos [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F54C0F8.2080700@freemail.hu \
--to=swifty@freemail.hu \
--cc=andy@andybev.com \
--cc=maiconlp@ig.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox