From: "Luciano Ruete" <luciano@lugmen.org.ar>
>
> The solution is to use CONNTRACK from iptables, full example described in
> this[1] e-mail from the archive. No patches needed.
>
> [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>
I think you mean CONNMARK ( not CONNTRACK ) from iptables ?
The ever popular routing command :-
>
> #route commands
> ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via y.y.y.y
> dev eth2
>
I personal view is that ***NEVER*** use such a routing statement, or never let
the system has a chance to use such a routing statement, especially when you
are
doing NAT. The email example above included this routing statement but it is
not used because the 'ip rule' takes precedence. The multipath weighted cached
based routing is problematic.
I would say it would be better to re-order the the iptables command :-
#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
#by-pass rules if it is already MARKed
iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT
#1st packets(from a connection) will arrive here
iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
ie restore-mark is moved to the top.
I strongly recommend that the LARTC documentation be updated, especially it
encourages people to use multipath weighted routing instead of iptables
based solution.
Cheers.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|