> > >________________________________________ >From: e.janz@xxxxxxxxxxxxxxxxx [mailto:e.janz@xxxxxxxxxxxxxxxxx] >Sent: 11 April 2007 09:01 >To: lartc@xxxxxxxxxxxxxxx >Subject: Re: equalize / ecmp not working as expected in 2.6 vs 2.4 > > >Andy Furniss <lists@xxxxxxxxxxxxxxxxxxxxxxx> wrote on 10/04/2007 21:29:33: > >> e.janz@xxxxxxxxxxxxxxxxx wrote: >> >> > thanks for the info. First of all, in order to use the nth match you need >> > to patch your kernel using patch-o-matic. >> >> I think nth is in kernel now as part of the statistic match. >> >> Andy. > >I was searching this yesterday afternoon and could not verify it. >Today I found it in the 2.6.18 kernel's changelog: > > [NETFILTER]: x_tables: add statistic match > > Add statistic match which is a combination of the nth and random matches. > > Signed-off-by: Patrick McHardy <...> > Signed-off-by: David S. Miller <...> > >commit 62b7743483b402f8fb73545d5d487ca714e82766 >Author: Patrick McHardy <...> >Date: Mon May 29 18:20:32 2006 -0700 > > >¿ Does this match help you to solve the problem ? > >Regards, >Eric-- > >ADVERTENCIA LEGAL >El contenido de este correo es confidencial y dirigido unicamente a su destinatario. Para acceder a su clausula de privacidad consulte http://www.barceloviajes.com/privacy > >LEGAL ADVISORY >This message is confidential and intended only for the person or entity to which it is addressed. In order to read its privacy policy consult it at http://www.barceloviajes.com/privacy Your suggestion pointed me in the right direction, it is now working with the following setup: Kernel 2.6.20-gentoo-r4 x86_64 Iptables 1.3.7 Iptables rules: iptables -t mangle -A OUTPUT -s <localip2> -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 111 iptables -t mangle -A OUTPUT -s <localip2> -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 222 <localip2> is one of the ip addresses from the /28 range that is routed to both of our lines, in your example you said to add to PREROUTING, but the packets are from the box itself so I changed to OUTPUT, so far that has not caused any problems... any comments on that? We only want to do per-packet load balanced for some local and some routed ips, not all of them, some services cannot cope with the out of order packets that arise from sending outgoing traffic through two different links. IP Rules: ip rule add prio 111 fwmark 111 table ADSLLink1 ip rule add prio 222 fwmark 222 table ADSLLink2 Both ADSLLink1 and ADSLLink2 already existed and contain a default route via the router for line 1 or line 2, they also have routes for other subnets so that for example I can ping our routers from my workstation which has a private IP address, I wont show all the routes as the box has some 10 eth interfaces and it is very long and confusing, but the important bit is: ip route show table ADSLLink1 | grep default default via <router1> dev inet0 ip route show table ADSLLink2 | grep default default via <router2> dev inet0 This is currently working in combination with the ecmp routes that were already in place, and that is working very well for us, services that suffer when there are lots of OOOP's still get per-flow/cached route load balanced over the two lines, and services that can handle a few OOOP's are getting the full benefit of 2 x upload speed. Iptables also gives me much more fine grained control of the setup, when I have more time I will be making more improvements. A final note, I got very confused for a while last night because whenever I used iptables with -t mangle I got a error like this: iptables --list -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination FATAL: Module ip_tables not found. <snip> It turns out that this is a issue with having ip_tables compiled into the kernel, /sbin/iptables tries to modprobe it regardless of that and then fails because it is not a module, I believe a fix was posted to netfilter mailing list, I got rid of the error by making a dummy kernel module with the name ip_tables, not a nice solution but it does suppress the error. Many thanks for your help Andy JOSEDV001TAG _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
