Load balancing using connmark

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I've been implementing a load balancing solution using CONNMARK, based
on solution described by Luciano Ruete at [1]. Gracias por el post y por
apuntar en la dirección correcta Luciano!

Once implemented, I've found that due to some reason packets aren't
properly marked (or improperly remarked) and sent out using the wrong
interface. 

My topo setup is:

[82.123.136.74]: eth1 : mark:0x1 --\
                                    +--[FW BOX] -- eth0: 192.168.0.53
[217.146.74.82]: eth2 : mark:0x2 --/

Using conntrack tool, shows that after a while, it starts to appear
packets marked with 0x2 or 0x1 not comming from the proper source IP.

>> conntrack -L | grep mark=2 | grep '82.123.136.74'; conntrack -L |
grep mark=1 | grep '217.146.74.82'

tcp      6 425543 ESTABLISHED src=192.168.0.178 dst=82.216.53.249
sport=1552 dport=443 packets=818 bytes=93471 src=82.216.53.249
dst=82.123.136.74 sport=443 dport=1552 packets=875 bytes=83909 [ASSURED]
mark=2 use=1
tcp      6 428681 ESTABLISHED src=192.168.0.177 dst=89.139.122.12
sport=2361 dport=443 packets=122 bytes=29381 src=89.139.122.12
dst=82.123.136.74 sport=443 dport=2361 packets=139 bytes=14120 [ASSURED]
mark=2 use=1

This is quite odd since solution proposed at [1] looks good. I'll cite
it here for clarity (suppose I already have all ip rule stuff
installed):

iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

After giving a try during several days, I've found that another firewall
solution, shorewall [2], implements built-in load balacing for free by
using the following set of instructions:

iptables -t mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK
--restore-mark --mask 0xFF

iptables -t mangle -A OUTPUT -m connmark ! --mark 0/0xFF -j CONNMARK
--restore-mark --mask 0xFF

iptables -t mangle -N routemark
iptables -t mangle -A PREROUTING -i eth1 -m mark --mark 0/0xFF -j
routemark

iptables -t mangle -A routemark -i eth1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth2 -m mark --mark 0/0xFF -j
routemark

iptables -t mangle -A routemark -i eth2 -j MARK --set-mark 2
iptables -t mangle -A routemark -m mark ! --mark 0/0xFF -j CONNMARK
--save-mark --mask 0xFF

After a bit of testing with the second solution, it seems to behave
better, doing all marking job at the PREROUTING and OUTPUT.

Did anybody find that some packages doesn't get properly routed
according to the mark with the first solution? What you do think about
the second solution?

Cheers!

[1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
[2] http://www.shorewall.net


-- 
Francis Brosnan Blazquez <francis@xxxxxxx>
Advanced Software Production Line, S.L.

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux