First thanks!
It helps to understand what was changed.
(notes in the email)
On 11/07/2013 10:59 PM, Humberto Jucá wrote:
ip route get 200
# This probe result in 10.1.1.1
# wait 1s and
ip route get 201
# This probe result in 10.1.2.1
# wait 1s and
ip route get 202
# This probe result 10.1.1.1
This is the part when I got confused while trying to understand the
"ipv4 route cache removed".
ip route show cache will show "blank".
but when I run ip route get 201 I see the result with "cache".
If you increase this value, all tests can result the same gateway in
gc_interval period.
Are you talking about "before" the cache removal or "after"?
Each learned path will be maintained by gc_timeout.
But this path will be*checked* only every gc_interval.
The result for 200 will be the same until gc_timeout.
This time expire after *300s of inactivity*.
ip route get 200
ip route get 200
ip route get 200
This probe will return the same path: only 10.1.1.1
Which is not happens after 3.6 kernel and the cache removal.
try a nice example:
$ watch -d --interval=0.1 ip route get 200
and see what I am talking about.
OK so the next scenario:
Client: 192.168.1.1/24
Lan Router: 192.168.1.254/24
Lan Router wan side:192.168.100.254/24
Wan Router 1:192.168.100.1/24
Wan Router 1-wanip: 3.3.3.3
Wan Router 1:192.168.100.2/24
Wan Router 1-wanip: 4.4.4.4
Simple HTTP\SMTP\SSH\TCP server: 6.6.6.6
Client -> SYN --> Lan ROUTER: --> *WAN-router1*(which does NAT) --> BIG
INTERNET --> TCP server
TCP server SYN-ACK --> BIG INTERNET -> *WAN-router1*(NAT) --> Lan ROUTER
--> Client
Client -> ACK --> Lan ROUTER: --> *WAN-router2*(which does NAT) --> BIG
INTERNET --> TCP server
OK so now stop and feel the TCP server FW:
"Hmm what is this strange packet?? I think it's an invalid packet and
the sentence for this one is *DROP*"
In the application level it will be almost the same:
"Hmm I do not recall any existing connection from this IP so
*DROP*\ignore that"
For a simple router that handles internet traffic simple LoadBalancer
router will not have any effect but in the case of TCP load balancing I
am almost certain that IPTABLES will need do a thing or two about that.
Am I right about the direction of how it goes?
Thank,
Eliezer
But, if you change gc_timeout to 1
echo 1 > /proc/sys/net/ipv4/route/gc_timeout
ip route get 200 # wait 1 or 2s
ip route get 200 # wait 1 or 2s
ip route get 200 # wait 1 or 2s
The result will be balanced - i consider this a aggressive load balance.
This is not so complicated in TCP (because the protocol is
connection-oriented), but is very much in UDP.
I refer to the persistence of connection, not the application. You
will certainly have problems with https and email sessions.
So, a larger value for gc_timeout will allow you a greater connection
persistence.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
