On Wednesday 21 February 2007 23:58, Ming-Ching Tiew wrote: > From: "Luciano Ruete" <luciano@xxxxxxxxxxxxx> > > > The solution is to use CONNTRACK from iptables, full example described in > > this[1] e-mail from the archive. No patches needed. > > > > [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > I think you mean CONNMARK ( not CONNTRACK ) from iptables ? sory a brain-o, but in the email refered is well explained. > > The ever popular routing command :- > > > #route commands > > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > > y.y.y.y dev eth2 > > I personal view is that ***NEVER*** use such a routing statement, or never > let the system has a chance to use such a routing statement, especially > when you are doing NAT. You are ***WRONG*** here :-) The multipath statement works really great, but is connection state-less without the iptables CONNMARK help. > The email example above included this routing > statement but it is not used because the 'ip rule' takes precedence. WRONG, the first packet of a trackeable connection does get routed by the multipath routing statement. Once routed for one of the weighted gw, it is MARKEd and --saved by CONNMARK. The second(and all the rest) packet from that connection will use always the same gateway. So, 'ip ro nexthop' does the weighted gw selection and balancing, then i use CONNMARK to ensure that packets from the same flow keep always the same gateway. I got this working in production server in 3 ISPs, and belive me, it works like a swiss clock. > The > multipath weighted cached based routing is problematic. if you do not use something that can track the connection yes, but hey, you have CONNMARK now, and before that you can do the same trick(and still can) with julian's anastasov patches. > I would say it would be better to re-order the the iptables command :- > > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > #by-pass rules if it is already MARKed > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > #1st packets(from a connection) will arrive here > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > ie restore-mark is moved to the top. it produces the same result, i think is better to understand if the restore command goes at the end, cause first you talk about the mark, and at the end you talk about restore it. If you put the restore first, the newbie will ask "what the hell i am restoring???". But is a matter of taste. > I strongly recommend that the LARTC documentation be updated, especially it > encourages people to use multipath weighted routing instead of iptables > based solution. The docs are outdated but tecnically ok, they where wrote by people who really know about the matters. It is more dangerous that you say things like the ones you wrote in this email (wich are enourmosly wrong) and google indexed them. -- Luciano _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
