RE: Load balancing using connmark
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On closer look, I am wrong about shorewall. It seems to be a different approach to load balancing. They connmark the incoming packets from WAN, rather than outgoing packets. I think it should work well, but I wonder why this approach is not popular. There must be some drawback to it. I can’t think of one,though.
Francis Brosnan Blazquez wrote:
> I've been implementing a load balancing solution using CONNMARK, based
> on solution described by Luciano Ruete at . Gracias por el post y por
> apuntar en la dirección correcta Luciano!
> Once implemented, I've found that due to some reason packets aren't
> properly marked (or improperly remarked) and sent out using the wrong
> iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.
Disagree with Peter. The marking in postrouting table is CONNMARK. This is for marking the connection, which has already had a route decided for it, so that all packets of the connection passes through this interface. This marking is done for packets with NEW state, see the check for mark==0 in the prev. line. The restore mark in PREROUTING will restore the connmark and route the subsequent packets.
This approach will work, but you need some sort of stateful-ness in netfilter.
The second point in Brosnan Blazquez’s mail about shorewall: They seem to be doing Policy Routing, not real load balancing.
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc