From: "Lloyd Standish" <lloyd@crnatural.net>
To: Thomas Jacob <jacob@internet24.de>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: still can't route using fwmark
Date: Sat, 18 Apr 2009 11:12:36 -0600 [thread overview]
Message-ID: <op.usld3aqfx1lyi3@localhost> (raw)
In-Reply-To: <20090418082314.GA12566@internet24.de>
Thanks for the reply, Thomas. I've got iptables 1.3.8 because I downloaded it (and the patch-o-matic stuff) quite a while back when it was the most current version. I'm using it because my kernel is not the stock Etch kernel (it is in fact a Ubuntu kernel, necessary to get a module that Debian removed over licensing issues). I recompiled my kernel and installed itables 1.3.8 out of desperation, since I have studied this load-balancing stuff pretty thoroughly and it seems what I have ought to work.
My kernel 2.6.20.3 does not have a CONFIG_IP_ROUTE_FWMARK configuration setting! Has this been absorbed into another configuration setting? How can I be sure fwmark is working? Judging by my setup, which is very simple, packets and connections are being marked, but routing is not affected by fwmark.
I have the kernel config options IP_NF_CONNTRACK_SUPPORT and XFRM_SUB_POLICY both set OFF. Might this be a problem?
--
Lloyd
On Sat, 18 Apr 2009 02:23:15 -0600, Thomas Jacob <jacob@internet24.de> wrote:
> On Fri, Apr 17, 2009 at 10:40:49PM -0600, Lloyd Standish wrote:
>> Hello,
>>
>> I am still having trouble doing load balancing over ppp0 and ppp1 for a Debian Etch PC (kernel 2.6.20.3, iptables 1.3.8). I used patch-o-matic to update my kernel sources and recompiled the kernel, and compiled and installed iptables 1.3.8. Also all the netfilter-related kernel configuration options I need are set, I believe.
>
> Why the strange versions? There are neither the ones that comes with Etch nor
> are they anything current? Anyway, Etch's stock kernel and iptables (2.6.18/v1.3.6 based)
> are fine for what you want to do.
>
> You need the iptables (conn)marking stuff, and advanced router + policy/fw routing,
> and that's all part of stock packages.
>
> /boot/config-2.6.18-6-686
>
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_ASK_IP_FIB_HASH=y
> # CONFIG_IP_FIB_TRIE is not set
> CONFIG_IP_FIB_HASH=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
> CONFIG_IP_ROUTE_VERBOSE=y
>
> dpkg -L iptables | grep -i mark
> /lib/iptables/libipt_connmark.so
> /lib/iptables/libipt_mark.so
> /lib/iptables/libipt_CONNMARK.so
> /lib/iptables/libipt_MARK.so
> /lib/iptables/libipt_SECMARK.so
> /lib/iptables/libipt_CONNSECMARK.so
> /lib/iptables/libip6t_connmark.so
> /lib/iptables/libip6t_mark.so
> /lib/iptables/libip6t_CONNMARK.so
> /lib/iptables/libip6t_MARK.so
> /lib/iptables/libip6t_SECMARK.so
> /lib/iptables/libip6t_CONNSECMARK.so
>
> Here's what I used some time ago to do something similar (either with Etch
> or maybe even Sarge), sending outgoing packets back to the router the
> corresponding incoming packets of a connection came from, for a single machine.
>
>
> #!/bin/sh
>
> iptables=iptables
>
>
> $iptables -t mangle -A INPUT -m mac --mac <ROUTERMAC1> -j CONNMARK --set-mark 1
> $iptables -t mangle -A INPUT -m mac --mac <ROUTERMAC2> -j CONNMARK --set-mark 2
>
>
> $iptables -t mangle -N TONET
> $iptables -t mangle -F TONET
> $iptables -t mangle -A OUTPUT -o <DEVICE> -d ! <LOCAL_NET> -j TONET
>
> $iptables -t mangle -A TONET -m connmark ! --mark 0 -j CONNMARK --restore-mark
>
>
> The route/rule stuff was more or less what you've got. If you want to
> forward packets for other hosts, this need to go into PREROUTING of
> course.
>
> Thomas
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> !DSPAM:49e992ac62591343511188!
>
>
next prev parent reply other threads:[~2009-04-18 17:12 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-18 4:40 still can't route using fwmark Lloyd Standish
2009-04-18 8:23 ` Thomas Jacob
2009-04-18 17:12 ` Lloyd Standish [this message]
2009-04-18 18:48 ` Thomas Jacob
2009-04-18 19:33 ` Lloyd Standish
2009-04-18 20:58 ` Thomas Jacob
2009-04-18 21:49 ` Lloyd Standish
2009-04-19 9:00 ` Thomas Jacob
2009-04-20 5:56 ` Lloyd Standish
2009-04-20 8:48 ` Javier Gálvez Guerrero
2009-04-20 11:44 ` Thomas Jacob
2009-04-20 13:08 ` Javier Gálvez Guerrero
2009-04-20 13:37 ` Thomas Jacob
2009-04-20 15:15 ` Javier Gálvez Guerrero
2009-04-20 18:59 ` Thomas Jacob
2009-04-22 9:53 ` Javier Gálvez Guerrero
2009-04-22 10:01 ` Thomas Jacob
2009-04-20 11:09 ` Thomas Jacob
2009-04-20 12:25 ` Brian Austin - Standard Universal
2009-04-20 15:38 ` Lloyd Standish
2009-04-20 19:26 ` Thomas Jacob
2009-04-21 19:54 ` Lloyd Standish
2009-04-22 9:35 ` Thomas Jacob
2009-04-22 15:03 ` Lloyd Standish
2009-04-18 23:14 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=op.usld3aqfx1lyi3@localhost \
--to=lloyd@crnatural.net \
--cc=jacob@internet24.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox