RE: policy based routing question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Kraslavsky wrote:

> 
>> I'm interested in implementing policy based routing on a system with
>> multiple interfaces. I'd like to use some kind of classifier to determine
>> the type of traffic associated with a packet. I know iptables/mark + ip
>> route can be used to classify packets by port #, but that isn't always
>> sufficient.
>>
> 
> Perhaps I have misunderstood your question but...all of the matches that
> are valid/meaningful in the mangle table's PREROUTING chain are at your
> disposal!
> 
> For example, assuming you define advanced routing rules that use mark 0x01
> for your primary interface and mark 0x02 for your secondary interface and
> you wanted all outgoing HTTP traffic fron local subnet 192.168.10.0/24 to
> go out your primary interface and you wanted all outgoing HTTP traffic
> from local subnet 192.168.20.0/24 to go out your secondary interface you
> could use:
> 
> iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -p tcp --dport 80 -j
> MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -s 192.168.20.0/24
> -p tcp --dport 80 -j MARK --set-mark 0x02
> 
> The appropriate matches to use would of course depend on what your
> interests are (classify by source IP address? source MAC address? input
> interface? destiantion port? etc...).
> 
> Putting it another way, beyond port number and the examples listed above
> or all that is covered on the iptables man page, what kind of
> classification are you after?
> 

Having done a bit more research, I think what I'm interested in is L7.  Now
what I'm trying to figure out is what is needed for L7 userspace on fedora
f8 kernel.

I have kernel-2.6.23.8-63.fc8.x86_64.  According to
http://l7-filter.sourceforge.net/HOWTO-userspace
I need to figure out if fedora f8 kernel has "Layer 3 Dependent Connection
tracking (OBSOLETE)".  Looking
in /lib/modules/2.6.23.8-63.fc8/build/.config I don't see anything that
obviously corresponds to this.

If I just try anyway, it doesn't seem to work:
sudo /sbin/modprobe -v ip_conntrack_netlink
insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/ipv4/netfilter/nf_nat.ko 
insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/netfilter/nf_conntrack_netlink.ko 
[nbecker@nbecker1 l7-filter-userspace-v0.4]$ /usr/bin/l7-filter --help

                      ***WARNING***
The ip_conntrack_netlink module does not appear to be loaded.
Unless you have it compiled into your kernel, please load it
and run l7-filter again.




-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux