Re: fail in the connmark load-balancing

Gáspár Lajos <swifty@xxxxxxxxxxx> · Mon, 05 Mar 2012 14:34:48 +0100

Hi,

Let me explain my post a bit :D

2012-03-02 22:24 keltezéssel, Usuário do Sistema írta:
Hi,

iptables -t mangle -N MARKS
iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
If we have a mark (either 1 or 2 or 3) then we should just RETURN 
because we already set the mark...
iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state
ESTABLISED,RELATED
If the connection is already ESTABLISHED or it is RELATED to an another 
connetion then just mark it as 3.
iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3
-m mode statistic --mode nth --every 2
Every 2nd. connection should be marked as 2.
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
Every other connection is marked as 1.
sorry, but I did understand the mark x/y as you wrote above. why did
you use --set-mark 1 or --set-mark 2 ??
x is the mark, y is the mask...
0 -> not marked -> new or already establised but not marked (see mark 3)
1 -> new connection that should go out on interface 1.
2 -> new connection that should go out on interface 2.
3 -> any other but marked so we do not check again. (ESTABLISED, RELATED)
I think when it's use the mark x/y  y is an mask but I'dont know what
is the match ?!?! with someone has a doc about that please post here.
man iptables (MARK target):

       --set-mark value[/mask]
              Zeroes out the bits given by mask and ORs value into the 
packet mark. If mask is omitted, 0xFFFFFFFF is assumed.

I haven't done test yet with your suggested Swifty. I'll tell you when I do.

thanks

After reading my post I found out that my script can be fine tuned ... :D

In mangle/PREROUTING change these lines:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS

to this:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARK --set-mark 1/3 -m mark --mark 
0/3 -i eth2
iptables -t mangle -A PREROUTING -j MARK --set-mark 2/3 -m mark --mark 
0/3 -i eth0
iptables -t mangle -A PREROUTING -j MARKS

This modification ensures that any incoming connection (that either goes 
to the firewall or gets FORWARDED) should take the same interface as it 
came from.

Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html