Hello, On Wed, 16 Feb 2005, Nguyen Dinh Nam wrote: > Although I don't agree with the approach of using JA's patch, I still > admit that nano-howto is a good howto, many people are using it > successfully. > > But nano-howto doesn't tell you to bind each connection to only one link > (internet connection), so some packets get dropped when get routed to > the wrong link. You can read about using CONNMARK here: > http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking It is controlled by correct routes. NAT connections are bound to masquerade IP (done in netfilter) but the patches guarantee this is propagated to the routing usage, look for lsrc in patch. It works for DNAT too. IOW, in some cases you can use more ISPs for maddr, for example, ISP1 for maddr_X->dest1 and ISP2 for maddr_X->dest2. Once maddr is selected for connection (from first packet), this maddr can be routed to one ISP (if the ISPs do spoofing checks) or to many ISPs, you can even use multipath route for 'from maddr to all'. So, for packets from single connection all requirements are met, traffic from maddr can use any/many alive links but only one at a time for specific maddr->dest path. When two NAT connections are related CONNMARK can solve the problem to route both of them to same path, sometimes this is done from the application modules, they select same maddr for related connections. Of course, other high level dependencies can be solved with CONNMARK, eg. web session persistence, may be with help from application modules. The problem here is that "routes" works only at routing level while CONNMARK work can be helped from other modules. Regards -- Julian Anastasov <ja@xxxxxx> _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/