loadbalancing multipath routing frequently freezes udp connections

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi

i recently searched in the mailinglist archive and found similar
problems, whose solutions helped very much, thank you.

i have the following scenario:

a firewall with one lan interface
eth0 10.1.1.1/24
and two uplink interfaces
eth1 10.2.2.1/24
eth2 10.3.3.1/24

each uplink interface does SNAT:
iptables -t nat -I POSTROUTING -o eth1 -j SNAT --to-source 10.2.2.1
iptables -t nat -I POSTROUTING -o eth2 -j SNAT --to-source 10.3.3.1

i set up loadbalancing multipath routing as described in the howto.
then i had the well mentioned problem that established connections leave
the wrong interface after the routing cache clears.

i solved this using the CONNMARK target, marking connections which left
one interface and directing those packages always to the same interface
using the approrpiate ip rule fwmark entry. but this works only for tcp.
udp connections (like an openvpn connection) frequently freeze. it seems
that udp packages still leave the wrong interface after a routing cache
clear.


any ideas?
do i have something wrong with the iptables mangle rules?



i used the following commands:

ip rule add prio 200 from 10.2.2.0/24 table 200
ip rule add prio 200 fwmark 200 table 200
ip route add 10.2.2.0/24 dev eth1 proto static table 200
ip route add default via 10.2.2.100 proto static table 200

ip rule add prio 201 from 10.3.3.0/24 table 201
ip rule add prio 201 fwmark 201 table 201
ip route add 10.3.3.0/24 dev eth2 proto static table 201
ip route add default via 10.3.3.100 proto static table 201

ip route add default scope global nexthop via 10.2.2.100 dev eth1
nexthop via 10.3.3.100 dev eth2


# contains MARK rules for connection initiations coming from the outside
#(portfw)
iptables -t mangle -N INCOMINGMARK

# contains MARK rules for connection initiations coming from the inside
# routed by multi path routes
iptables -t mangle -N OUTGOINGMARK

# contains MARK rules for connection initiations coming from the inside
# forced by user configuration to leave through a specific uplink
iptables -t mangle -N OUTGOINGCUSTOMMARK

iptables -t mangle -A POSTROUTING -j OUTGOINGMARK -m state --state NEW
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark -m state
--state NEW -m mark ! --mark 0

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -j OUTGOINGCUSTOMMARK -m state --state NEW
iptables -t mangle -A PREROUTING -j INCOMINGMARK -m state --state NEW


iptables -A INCOMINGMARK -i eth1 -j MARK --set-mark 200
iptables -A OUTGOINGMARK -o eth1 -j MARK --set-mark 200

iptables -A INCOMINGMARK -i eth2 -j MARK --set-mark 201
iptables -A OUTGOINGMARK -o eth2 -j MARK --set-mark 201


thank you in advance, any help would be greatly appreciated

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.it   :: peter@xxxxxxxxx
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux