Hello,
I'm trying to setup L3 load balancing (with direct server return) which
requires me to send back or receive packets with a certain src/dst
address,
but for these packets the dst address is replaced on the load balancer,
then routed and are arriving on my linux container.
I tried with mangle, filter, nat tables and ip route, tc etc. and it
seems nothing works as expected.
I tried to match via ip rule tos 0xc (2 additional bits) but that never
matches, and ip rule doesn't allow arbitrary values
I tried to mark the packets in iptables mangle, and apply the ip rule on
the fwmark, also never matches
I tried to match the fwmark with tc and use the nat action, also never
matches (counters stay 0)
I tried to use PREROUTING with DNAT, but the packet is never there
(packet to the local system)
The IP 10.253.1.18 is configured locally on eth0
The IP 10.253.253.163 is configured locally on eth0
The GW is 10.253.1.1
The IP 10.21.13.19 is in a completly different network segment
I'd like to do the following:
Incoming Packet: DSCP 0x3 Src: 10.21.13.19 Dst 10.253.1.18 SrcPort:
45240 DstPort: 53
Match this packet based on DSCP = 0x3
Rewrite this Packet before it hits anything to:
DSCP: 0x0 Src: 10.21.13.19 Dst: 10.253.253.163 SrcPort: 45240 DstPort:
53
Expected outcome:
The kernel sees this packet, and established the connection, all return
traffic packets should look like this:
DSCP: 0x0 Src: 10.253.253.163 Dst 10.21.13.19 SrcPort: 53 DstPort: 45240
I do not want NAT (e.g. connection tracking, and reversing of the DNAT)
- best would be a single rule that does this.
It looks like it can be done:
https://www.slideshare.net/jschauma/l3dsr-overcoming-layer-2-limitations-of-direct-server-return-load-balancing
an illustration would be this:
https://www.draw.io/?lightbox=1&highlight=0000ff&edit=_blank&layers=1&nav=1&title=Masq-Async-Routing.xml#R7Zxbc5s4FMc%2FjR%2BXQTcMj7m03Z3p7mQmndnmKSODbLPBiAElcfrpV4CwQSIJsYGQxp1pC0dCgH76Hx1d8AxdbLbfUpqs%2F%2BYBi2bQDrYzdDmD0LOJ%2FDc3PJUGAp3SsErDoDSBveE6%2FMWU0VbW%2BzBgWSOj4DwSYdI0%2BjyOmS8aNpqm%2FLGZbcmj5l0TumKG4dqnkWn9NwzEWlmBbe8T%2FmThaq1u7RKVsKD%2B3Srl97G63wyiZfGnTN7QqiyVP1vTgD%2FWTOjLDF2knIvyaLO9YFFetVW1ldd9fSZ199wpi0WXC7AC9UCje%2FXuWerP0Jm0AZdY0HYtgJAlC3YiWeL5IpVHq%2FwoyESZDwJoAddybWvHLxNPVVUKts1zr8UmkgYgD1OWhb%2Fooshgy%2FOEh7EogJHzGbmUFnoveFY2ivwCGoWrWB5HbJkX9cBSEUpWZ8oseCKtWUL9MF79yE8u%2F8DSsgyj6IJHPC0eBAWUuUs%2FzylSfsdqKY7vssVSppi1pyo0vyXb1kyqNr8xvmEifZJZVCqqWoJq%2BdjB5fljox2VtnWtCSFlo6rprnZF7%2FHJA0WwnaZr1D4LZLtWpzwVa77iMY2%2B7K3nsgUmeWoUxnc5nLztskChqVFj21D8rB3f5Fksos6uWBrKx2WpulBWYPr0s35Sy5%2Bf6hf8x4R4Uo4gxy9N%2B%2Bf9zguq4CVEGb9PffXWULkMmq5YVb2lKa%2BPFzGmLKIifGj6gWOYQENgBqQKwWa7yr2p5YeZzy1JQlZPpv5vwghott5B0tq5jRzXm7e1c%2BWJqpTKs8Gapr7TBYuupPhEyHNtLbgQfPOs6Cpl%2BpJG8Yw9KAjM3YaCADYVVGWpC4ig42F5IwhoL5qbWsrzAtpr5qaeNqiAkCkg%2FF4CQicBvU1A2Gl2QQCj0QSED4WVPYbCX7PMeuRpEUElt6XpE3HDTccHsW2GDjZoAddD6DAfxfN5ddc31eiBmM4PvpfzM8Pzjnry%2BSYp3N8tjYPbRNZXsmYpjTIroknZhj%2BJrIDuDU1VeS3xuNMDPUBGjyfsSUoKVIP4KQQU1cOcIorOg1q7qSHkeaNFFABNUENaTG557jgyahnYvp%2BMTiPbIwNz5LnjyWicAO8YGYFxNOSYGqqa8juIyOk%2FwEv8zyspUq08vCKpeQ9DJuC%2Bzo7FwVm%2BHpG%2FdkSzLNTYaDiWrs%2F81jnqhUswsV%2BqtFcbb61KSEvAW9k6t3F1h6t8%2Br4ebmvxtj6xXYpRXQVrSxNaQUbgrhdUKtgoqMC2e%2B1uJL3eSTIQENYqLM%2BZI%2Bp8AJLQI00AGB1GEtuvFNQfyWpdrU9NLpnTrslg7i3sj6BJos8IOt5hJPWCdlNUA5DsEF7WSMY8Zk2MmXwWYYIuzF%2FDaBe7xIE6a%2BkepYbdALexd%2BECOR9BxRhryPTZwq7s9ZVNo6Ae2XeY8z%2Bxf509ghoy51D2WkHIHY59hyWEV9g%2F56b7aBW73mDy7PXBpo6sc%2B%2BtO5CO7GVF06daNrXNo%2FMDV%2FfZN6WyxIMbVoe59DeGBr%2BBiyC6ssGBzcQoyBvORXQYNJ9IYgL7IYk9OBjJef8kj9jmNRGSeK4DONR16wXp%2FX%2BPJPufDPkdSLp9dcJ6QfZwJPufDPkdSKImAHCoJpE%2BrTVcP1k98onkS1Iydt4eqkk4nCYR7J3kcrmEz0xrOQuHfISIB8x70iQYUZPm1MblP2c%2FDJqT2TZ%2FzPRn93UcoqNE5p7FtpYE7ecbTecNpuZwYv8NhAct4LiWbcEXvoDQvpSYLMojVpfest%2BqibLykmN8AIHM8cT1pNV1zDJRdyQy6GiqyzaZDKYuc2CwU5f25dBH19dIMF3cgOmNqS9zbPB2mDIDQcXfKX8u9k79HjH3LwxGE5vjgxPNPj%2F%2BG1Wb2NzWOu3I8pg51ze4S%2BI0mKC5ueluqL4Pm8O2QwU2t8wR3ycjCTyNJDZJDqcuc1ly2pHlOJ87Y23kjD2z%2FxpMXea4LUweMhpsTDmZloylD2G%2BKbSlF2vLy9KsyKunTVKffajNbaoNE2CqDbeg7WNrJTbHcX9dTdgf9hEJYq9R3wSZSmr7TqkXJZljtGmHDsdMXr4hdLCbSHab6Mdwbi%2BMtLr%2BMEdj8upzo9Sc2W7H%2FxihAzGHWdeq85E3o3EQyQqSh2LNitf071i5T2YiwHoJE5pzFsQzlbSbzT9SSvJ0%2F%2Fs55Qz9%2FjeK0Jf%2FAQ%3D%3D
It's just missing the DSCP part.
BR
Thomas Rosenstein
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
