FW: Load balancing using connmark

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


-----Original Message-----
From: Salim S I [mailto:salim.si@xxxxxxxxxxxxxxxx] 
Sent: Thursday, May 10, 2007 5:22 PM
To: 'Francis Brosnan Blazquez'
Subject: RE:  Load balancing using connmark

"I think the main advantage of shorewall solution is that it applies
connmark to incoming packets from the wan as you point, leaving load
balancing to outgoing connections to the main table"

Actually, the main table/multipath route only routes the first packet of
a connection. The subsequent routing for that connection is done based
on connmark, for outgoing packets too. Otherwise replies to packets
coming from WAN1 may go through WAN2. The difference in the two
solutions is only in where packets are marked and which packets are
marked. Routing is the same.

For a detailed discussion on the first approach, you can refer to this
thread. 

http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html


-----Original Message-----
From: Francis Brosnan Blazquez [mailto:francis@xxxxxxx] 
Sent: Thursday, May 10, 2007 5:07 PM
To: Salim S I
Cc: lartc@xxxxxxxxxxxxxxx
Subject: RE:  Load balancing using connmark

El jue, 10-05-2007 a las 16:01 +0800, Salim S I escribió:
Hi Salim,

Thanks for your reply,

> On closer look, I am wrong about shorewall. It seems to be a different
> approach to load balancing. They connmark the incoming packets from
> WAN, rather than outgoing packets. I think it should work well, but I
> wonder why this approach is not popular. There must be some drawback
> to it. I can?t think of one,though.

I think the main advantage of shorewall solution is that it applies
connmark to incoming packets from the wan as you point, leaving load
balancing to outgoing connections to the main table.

In any case, with this second solution I don't see wrong routed packages
on wan interfaces using tcpdump, whereas with the first solution I do.
More testing is required.

Regarding to your previous reply, can you elaborate more on "...This
approach will work, but you need some sort of stateful-ness in
netfilter..."

Cheers!

-- 
Francis Brosnan Blazquez <francis@xxxxxxx>
Advanced Software Production Line, S.L.


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux