Francis Brosnan Blazquez wrote: > Hi, > > I've been implementing a load balancing solution using CONNMARK, based > on solution described by Luciano Ruete at [1]. Gracias por el post y por > apuntar en la dirección correcta Luciano! > > Once implemented, I've found that due to some reason packets aren't > properly marked (or improperly remarked) and sent out using the wrong > interface. > > <snip> > > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the time you do your marks and stuff the kernel has _already_ assigned a packet to an interface, and you can not alter this anymore. > After a bit of testing with the second solution, it seems to behave > better, doing all marking job at the PREROUTING and OUTPUT. This is flawed too. OUTPUT suffers from the very same problem as POSTROUTING - by the time the packets hit the NF stack the process has already bound itself to an interface, which you can not change anymore. Peter _______________________________________________ LARTC mailing list [email protected] http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
