Re: fail in the connmark load-balancing
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi, Let me explain my post a bit :D 2012-03-02 22:24 keltezéssel, Usuário do Sistema írta:
If we have a mark (either 1 or 2 or 3) then we should just RETURN because we already set the mark...Hi, iptables -t mangle -N MARKS iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
If the connection is already ESTABLISHED or it is RELATED to an another connetion then just mark it as 3.iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state ESTABLISED,RELATED
iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3 -m mode statistic --mode nth --every 2
Every 2nd. connection should be marked as 2.
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
Every other connection is marked as 1.
sorry, but I did understand the mark x/y as you wrote above. why did you use --set-mark 1 or --set-mark 2 ??
x is the mark, y is the mask... 0 -> not marked -> new or already establised but not marked (see mark 3) 1 -> new connection that should go out on interface 1. 2 -> new connection that should go out on interface 2. 3 -> any other but marked so we do not check again. (ESTABLISED, RELATED)
I think when it's use the mark x/y y is an mask but I'dont know what is the match ?!?! with someone has a doc about that please post here.
man iptables (MARK target): --set-mark value[/mask]Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed.
I haven't done test yet with your suggested Swifty. I'll tell you when I do. thanks
After reading my post I found out that my script can be fine tuned ... :D In mangle/PREROUTING change these lines: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -j MARKS to this: iptables -t mangle -A PREROUTING -j CONNMARK --restore-markiptables -t mangle -A PREROUTING -j MARK --set-mark 1/3 -m mark --mark 0/3 -i eth2 iptables -t mangle -A PREROUTING -j MARK --set-mark 2/3 -m mark --mark 0/3 -i eth0
iptables -t mangle -A PREROUTING -j MARKSThis modification ensures that any incoming connection (that either goes to the firewall or gets FORWARDED) should take the same interface as it came from.
Swifty -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html