Re: [LARTC] Balancing ip traffic over two or more internet (adsl) connections

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 Hello:

 Some comments / ideas:

- "Jorge Boncompte [DTI2]" <jorge@xxxxxxxx> suggested me to remove the
"equalize" option. I tested it. It does NOT work at all.
- I've done some tests with TOS translation. Logs are included at the
bottom of this post. Summarizing:
1) If I make TOS translation on OUTPUT or FORWARD chain it does NOT
solve the problem at all.
2) If I make TOS translation on INPUT chain it does PARTIALLY solve
the problem. "Partially" means that it works ok for local machines
accesing our gateway, but it does not work for connections originated
in the gateway itself.

Explanation: this is a rude scheme of chains bypassing:

(incoming) packet ---> INPUT --> Routing decision --> FORWARD -->
OUTPUT -> (outgoing) packet

(this is valid for a packet coming from another local machine into our
gateway machine)

 As you can see the routing decision is performed AFTER input check
and BEFORE forward&output check. Therefore if we make TOS translation
on forward or output chains it will NOT affect the multipath decision
(which is taken before the translation is performed) and multipath
algorith will BREAK our "session" (assuming it uses changing TOS
values, as FTP does). See logs "Case 1" and "Case 3".

 The TOS translation is only valid is performed on INPUT chain because
multipath decision is performed after it. It partially solves the
problem. At least it works for local machines (not our gateway
itself).

 Nevertheless if the connection is originated from the gateway itself,
then packets do NOT traverse the INPUT chain. So our TOS filter is
useless :-(. I haven't found any solution for that.

 I'm not a kernel hacker. But I suppose the "good" solution would be
to patch kernel for removing TOS checking. This way our problem
wouldn't exist.

 Arthur van Leeuwen <arthurvl@xxxxxxxxxx> kindly suggested a trick
with static routes involved, to solve this last problem. But I want to
set up a transparent proxy on the gateway machine. Therefore almost
all traffic will (virtually) originate on the gateway machine (where
the proxy will be located) and I need this traffic to be balanced too
(as the other local traffic does).

 If I'm missing something or I'm wrong, please, correct me. Also I'd
like to receive more (working if possible) ideas.

 Thanks all (specially to Arthur).

 Román.-


-=LOGS=-

======= Case 1 =======

goliat:~ # ipchains -A output -t 0x01 0x00

backup:~ # arp -a
roman (192.168.0.247) at 00:C0:26:F0:40:9A [ether] on eth0
backup:~ # ftp 62.22.78.68
Connected to sniff.batmap.com.
220 Sniff FTP-Server ready
Name (62.22.78.68:roman): 
421 Service not available, remote server has closed connection.
ftp: Login failed.
ftp: No control connection for command.
ftp> bye
backup:~ # arp -na
? (192.168.0.247) at 00:C0:26:F0:40:9A [ether] on eth0
? (192.168.0.200) at 00:50:04:0D:6A:12 [ether] on eth0
? (192.168.0.230) at 00:80:2D:DC:26:1E [ether] on eth0
? (192.168.0.229) at 00:80:2D:DC:28:27 [ether] on eth0
backup:~ # arp -n 
Address                 HWtype  HWaddress           Flags Mask
Iface
192.168.0.247           ether   00:C0:26:F0:40:9A   C
eth0
192.168.0.200           ether   00:50:04:0D:6A:12   C
eth0
192.168.0.230           ether   00:80:2D:DC:26:1E   C
eth0
192.168.0.229           ether   00:80:2D:DC:28:27   C
eth0
backup:~ # 

17:57:47.006607 62.174.128.49.6551 > 62.22.78.68.ftp: S
357098797:357098797(0) win 32767 <mss 1460,sackOK,timestamp 6991
0,nop,wscale 0> (DF)
17:57:47.006643 62.22.78.68.ftp > 62.174.128.49.6551: S
673396295:673396295(0) ack 357098798 win 32120 <mss
1460,sackOK,timestamp 814167663 6991,nop,wscale 0> (DF)
17:57:47.043320 62.174.128.49.6551 > 62.22.78.68.ftp: . 1:1(0) ack 1
win 65160 <nop,nop,timestamp 6995 814167663> (DF)
17:57:47.149299 62.22.78.68.ftp > 62.174.128.49.6551: P 1:29(28) ack 1
win 32120 <nop,nop,timestamp 814167677 6995> (DF)
17:57:47.207938 62.175.108.41.4259 > 62.22.78.68.ftp: .
357098798:357098798(0) ack 673396324 win 65160 <nop,nop,timestamp 7010
814167677> (DF)
17:57:47.207966 62.22.78.68.ftp > 62.175.108.41.4259: R
673396324:673396324(0) win 0
17:57:47.898878 62.175.108.41.4259 > 62.22.78.68.ftp: P 0:12(12) ack 1
win 65160 <nop,nop,timestamp 7078 814167677> (DF)
17:57:47.898892 62.22.78.68.ftp > 62.175.108.41.4259: R
673396324:673396324(0) win 0
17:57:50.140028 62.22.78.68.ftp > 62.174.128.49.6551: P 1:29(28) ack 1
win 32120 <nop,nop,timestamp 814167977 6995> (DF)
17:57:50.182538 62.174.128.49.6551 > 62.22.78.68.ftp: R
357098798:357098798(0) win 0


======= Case 2 =======

goliat:~ # ipchains -A input -t 0x01 0x00

backup:~ # ftp 62.22.78.68
Connected to sniff.batmap.com.
220 Sniff FTP-Server ready
Name (62.22.78.68:roman): 
331 Password required for roman.
Password:
230 User roman logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
backup:~ #

sniff:~ # tcpdump -ni eth0 tcp port 21 or 20
User level filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
18:06:13.818618 62.174.128.49.6893 > 62.22.78.68.ftp: S
893209756:893209756(0) win 32767 <mss 1460,sackOK,timestamp 30163
0,nop,wscale 0> (DF)
18:06:13.818762 62.22.78.68.ftp > 62.174.128.49.6893: S
1223828639:1223828639(0) ack 893209757 win 32120 <mss
1460,sackOK,timestamp 814218344 30163,nop,wscale 0> (DF)
18:06:13.855538 62.174.128.49.6893 > 62.22.78.68.ftp: . 1:1(0) ack 1
win 65160 <nop,nop,timestamp 30175 814218344> (DF)
18:06:13.959701 62.22.78.68.ftp > 62.174.128.49.6893: P 1:29(28) ack 1
win 32120 <nop,nop,timestamp 814218358 30175> (DF)
18:06:13.999058 62.174.128.49.6893 > 62.22.78.68.ftp: . 1:1(0) ack 29
win 65160 <nop,nop,timestamp 30190 814218358> (DF)
18:06:15.175588 62.174.128.49.6893 > 62.22.78.68.ftp: P 1:13(12) ack
29 win 65160 <nop,nop,timestamp 30292 814218358> (DF)
18:06:15.175608 62.22.78.68.ftp > 62.174.128.49.6893: . 29:29(0) ack
13 win 32120 <nop,nop,timestamp 814218480 30292> (DF)
18:06:15.176848 62.22.78.68.ftp > 62.174.128.49.6893: P 29:63(34) ack
13 win 32120 <nop,nop,timestamp 814218480 30292> (DF)
18:06:15.246166 62.174.128.49.6893 > 62.22.78.68.ftp: . 13:13(0) ack
63 win 65160 <nop,nop,timestamp 30315 814218480> (DF)
18:06:17.902895 62.174.128.49.6893 > 62.22.78.68.ftp: P 13:28(15) ack
63 win 65160 <nop,nop,timestamp 30499 814218480> (DF)
18:06:17.912514 62.22.78.68.ftp > 62.174.128.49.6893: P 63:90(27) ack
28 win 32120 <nop,nop,timestamp 814218754 30499> (DF)
18:06:17.953806 62.174.128.49.6893 > 62.22.78.68.ftp: P 28:33(5) ack
90 win 65160 <nop,nop,timestamp 30585 814218754> (DF)
18:06:17.953989 62.22.78.68.ftp > 62.174.128.49.6893: P 90:131(41) ack
33 win 32120 <nop,nop,timestamp 814218758 30585> (DF)
18:06:18.011966 62.174.128.49.6893 > 62.22.78.68.ftp: P 33:39(6) ack
131 win 65160 <nop,nop,timestamp 30591 814218758> (DF)
18:06:18.012101 62.22.78.68.ftp > 62.174.128.49.6893: P 131:150(19)
ack 39 win 32120 <nop,nop,timestamp 814218764 30591> (DF)
18:06:18.066255 62.174.128.49.6893 > 62.22.78.68.ftp: . 39:39(0) ack
150 win 65160 <nop,nop,timestamp 30597 814218764> (DF)
18:06:19.272030 62.174.128.49.6893 > 62.22.78.68.ftp: P 39:45(6) ack
150 win 65160 <nop,nop,timestamp 30700 814218764> (DF)
18:06:19.272125 62.22.78.68.ftp > 62.174.128.49.6893: P 150:164(14)
ack 45 win 32120 <nop,nop,timestamp 814218890 30700> (DF)
18:06:19.272789 62.22.78.68.ftp > 62.174.128.49.6893: F 164:164(0) ack
45 win 32120 <nop,nop,timestamp 814218890 30700> (DF)
18:06:19.312433 62.174.128.49.6893 > 62.22.78.68.ftp: F 45:45(0) ack
164 win 65160 <nop,nop,timestamp 30721 814218890> (DF)
18:06:19.312465 62.22.78.68.ftp > 62.174.128.49.6893: . 165:165(0) ack
46 win 32120 <nop,nop,timestamp 814218894 30721> (DF)
18:06:19.320287 62.174.128.49.6893 > 62.22.78.68.ftp: . 46:46(0) ack
165 win 65160 <nop,nop,timestamp 30722 814218890> (DF)

36 packets received by filter
sniff:~ # 


======= Case 3 =======

ipchains -A forward -t 0x01 0x00

backup:~ # ftp 62.22.78.68
Connected to sniff.batmap.com.
220 Sniff FTP-Server ready
Name (62.22.78.68:roman): 
421 Service not available, remote server has closed connection.
ftp: Login failed.
ftp: No control connection for command.

18:19:39.609405 62.174.128.49.7379 > 62.22.78.68.ftp: S
1736918725:1736918725(0) win 32767 <mss 1460,sackOK,timestamp 9345
0,nop,wscale 0> (DF)
18:19:39.609518 62.22.78.68.ftp > 62.174.128.49.7379: S
2068636790:2068636790(0) ack 1736918726 win 32120 <mss
1460,sackOK,timestamp 814298923 9345,nop,wscale 0> (DF)
18:19:39.904265 62.174.128.49.7379 > 62.22.78.68.ftp: . 1:1(0) ack 1
win 65160 <nop,nop,timestamp 9370 814298923> (DF)
18:19:42.574780 62.22.78.68.ftp > 62.174.128.49.7379: P 1:29(28) ack 1
win 32120 <nop,nop,timestamp 814299220 9370> (DF)
18:19:44.204673 62.175.108.41.4776 > 62.22.78.68.ftp: .
1736918726:1736918726(0) ack 2068636819 win 65160 <nop,nop,timestamp
9805 814299220> (DF)
18:19:44.204717 62.22.78.68.ftp > 62.175.108.41.4776: R
2068636819:2068636819(0) win 0
18:19:45.570027 62.22.78.68.ftp > 62.174.128.49.7379: P 1:29(28) ack 1
win 32120 <nop,nop,timestamp 814299520 9370> (DF)
18:19:46.405868 62.174.128.49.7379 > 62.22.78.68.ftp: R
1736918726:1736918726(0) win 0


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    ** RoMaN SoFt / LLFB **  
       roman@xxxxxxxxxx
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux