On Fri, 16 Mar 2001, RoMaN SoFt / LLFB!! wrote: > On Thu, 15 Mar 2001 17:56:37 +0100 (MET), you wrote: > > >> 1) Could you exemplify this TOS field "hacking"? > > > >ipchains <yourmatchfields> -t 0x01 0x00 > > Ummm. I don't get it to work... I've created the following test > ipchains rule (see log): > > goliat:~ # ipchains -F > goliat:~ # ipchains -A output -p tcp --source-port 20:21 -b -t 0x01 > 0x00 -j ACCEPT -l Looks okay. Note that passive ftp return data is *not* necessarily on port 20 or 21... For testing I would try clearing the TOS field on *all* outgoing packets. > I only could imagine that TOS translation is being doing AFTER > multipath has acted. Is it possible? In this case, how to avoid it? Yes, that is theoretically possible, if you are ftp'ing directly from the machine that does the multipath routing. > Could you paste some ipchains rules and/or other useful config files > for your (working) configuration? Perhaps this may helps. I've already paraphrased most of the complete config. What you may still need is rules and corresponding routing tables to do static non-multipath routing if you already have a source address for your packets. This would probably fix the ftp problem. So, you would make tables 1 and 2 for the two uplink gateways, and add the following routes (assuming 10.1.1.1 and 10.2.2.1 as the gateways and 10.1.1.2 and 10.2.2.2 as the local ip addresses): ip route add 10.1.1.1 dev eth1 table 1 ip route add default via 10.1.1.1 table 1 ip route add 10.2.2.1 dev eth1 table 2 ip route add default via 10.2.2.1 table 2 ip rule add from 10.1.1.2 table 1 prio 100 ip rule add from 10.2.2.2 table 2 prio 200 > Any help would be *highly* appreciated. Hope this helps. Doei, Arthur. -- /\ / | arthurvl@xxxxxxxxxx | Work like you don't need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there's nobody watching
