[LARTC] How to balance OUTBOUND traffic by packet if..

Andy Furniss andy.furniss at dsl.pipex.com
Fri Jan 14 16:10:02 CET 2005 

Patrick McHardy wrote:
> Andy Furniss wrote:
> 
>> Seems still broken.
>>
>> I built vanilla(apart from nth) 2.6.10, new iptables 1.2.11 + 
>> pom-200400621 with runme extra only said y to nth.
>>
>> I see -
>>
>> Chain OUTPUT (policy ACCEPT 817 packets, 103K bytes)
>>  pkts bytes target     prot opt in     out     source destination
>>    15  1260 MARK       all  --  *      eth0    0.0.0.0/0 
>> 0.0.0.0/0           every 2th packet #0 MARK set 0x1
>>    15  1260 MARK       all  --  *      eth0    0.0.0.0/0 
>> 0.0.0.0/0           every 2th packet #1 MARK set 0x2
>>
>> Chain POSTROUTING (policy ACCEPT 817 packets, 103K bytes)
>>  pkts bytes target     prot opt in     out     source destination
>>     0     0            all  --  *      eth0    0.0.0.0/0 
>> 0.0.0.0/0           MARK match 0x1
>>    15  1260            all  --  *      eth0    0.0.0.0/0 
>> 0.0.0.0/0           MARK match 0x2
>> [root at amd /home/andy]# cat ./nth-test
>> iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 
>> --packet 0 -j MARK --set-mark 1
>> iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 
>> --packet 1 -j MARK --set-mark 2
>> iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1
>> iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 2
>>
>> Any Ideas anyone?
> 
> 
> 
> Try adding "-m mark --mark X -j RETURN" rules after the MARK rules. The 
> MARK
> target is non-terminal, so you are overwriting the mark in the second rule.
> Alternatively you can use "--start 1" in the one of the nth matches.

Thanks Patrick - I assumed that with the same counter and packet 0/1 
that nth would only actually match alternate packets (start didn't work).

So this works -

iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 
--packet 0 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth0 -m mark --mark 1 -j RETURN
iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 
--packet 1 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -o eth0 -m mark --mark 2 -j RETURN

but is over complicated really - Why I didn't do it like below in the 
first place I don't know <slaps self>

iptables -t mangle -A OUTPUT -o eth0 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth0 -m nth --every 2  -j MARK --set-mark 2

Andy.

PS had to remove junk at maild.mine.nu from CC as my ISP server threw a 
domain not found - can someone else CC him please.

More information about the netfilter-devel mailing list