В Срд, 06/05/2009 в 18:03 -0400, Barry A Rich пишет: > We use Netfilter to load balance UDP packets across multiple uplinks (ppp0, > ppp1, ppp2, ppp3). Uplinks can be added or removed on the fly. When this > happens, we reset everything and run the firewall/routing script that > matches the new uplink configuration. The reset looks like this: > > ######################### Begin reset ######################### > > iptables -F INPUT > iptables -P INPUT DROP > iptables -F OUTPUT > iptables -P OUTPUT DROP > iptables -F FORWARD > iptables -P FORWARD DROP > iptables -F -t raw > iptables -F -t nat > iptables -F -t mangle > > ip route del default > ip route flush table uplink1 > ip route flush table uplink2 > ip route flush table uplink3 > ip route flush table uplink4 > ip route flush dev ppp0 > ip route flush dev ppp1 > ip route flush dev ppp2 > ip route flush dev ppp3 > > tc qdisc del dev ppp0 root > tc qdisc del dev ppp1 root > tc qdisc del dev ppp2 root > tc qdisc del dev ppp3 root > > ip route flush cache > > ######################### End reset ######################### > > For two uplinks, the setup looks like this: > > ######################### Begin setup ######################### > > iptables -t raw -A PREROUTING -i eth0 -p udp --sport 6970 -j NOTRACK > > iptables -t mangle -A PREROUTING -p udp --sport 6970 -m statistic --mode nth > --every 2 --packet 0 -j MARK --set-mark 1 > > iptables -t mangle -A PREROUTING -p udp --sport 6970 -m statistic --mode nth > --every 2 --packet 1 -j MARK --set-mark 2 > > tc qdisc add dev ppp0 root handle 1: prio > > tc qdisc add dev ppp1 root handle 1: prio > > tc filter add dev ppp0 parent 1:0 protocol ip prio 1 \ > handle 1 fw flowid 1:1 action nat egress x.x.x.x/32 y.y.y.y > > tc filter add dev ppp1 parent 1:0 protocol ip prio 1 \ > handle 2 fw flowid 1:1 action nat egress x.x.x.x/32 z.z.z.z > > ######################### End setup ######################### > > The UDP stream continues to be received on the LAN interface during the > reset/setup. The reset/setup works most of the time, but occasionally the > packets going out ppp0 do not get NAT'd after a reset/setup. Repeating the > setup/reset sequence a second time seems to make it work, but I'd rather > understand what's wrong and fix it. > > All help is appreciated. > > Thanks. Try adding to your reset script: conntrack -F conntrack conntrack -F expect -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
