Hello,
You might probably run into trouble with your MARK approach there as it
won't be able to correctly track connections which are related to other
connections. Ie. FTP-Data.
You'll need to rely on connmark for such situation.
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
--dport $PORT_LIST -m statistic --mode random --probability .5 \
-m connmark ! --mark 0/0 \
-j MARK --set-mark 0x60000000
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
-m connmark ! --mark 0/0 \
--dport $PORT_LIST -j MARK --set-mark 0x50000000
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --save-mark
As for your L7 case, I'd need some more input there. Can you give a more
detailled description please? You don't want to use it as part of the
routing decission, do you? (that wouldn't work)
- Jörg
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
