pascal.mail at plouf.fr.eu.org
Mon Oct 2 15:14:41 CEST 2006
Stefan Friedel a écrit :
>>OK, SNAT and DNAT do not support multiple --to any more in kernels above
>>2.6.10. But it is unclear to me whether they still support one IP
>>address *range* (with round robin) or only one single IP address.
> The range is still accepted as option for iptables 1.3.6, but it has no effect
> with 126.96.36.199 (so I assume that it is indeed the "NAT+round robin" capability
> which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
> the DNAT target in PREROUTING -
One question : did you test this from only one single source IP address
of from several source IP addresses ? SAME is designed to always give
the same mapping to a given source address, and it seems that DNAT/SNAT
do the same in kernels >= 2.6.11.
I remember reading something about this in kernel 2.6.11 changelog :
[PATCH] Remove Randomness in Selecting NAT IP Address
We currently choose a "random" IP address to NAT to, where we have a
range. Martin Josefsson pointed out that he uses the SAME target in
iptables because changing IP addresses breaks Internet banking sites
(among others) which assume the customer will be coming from a
consistent IP address.
In fact, we spend a fair bit of effort trying to balance the number of
connections we NAT to each IP address. We can come pretty damn close
just hashing the source and destination IP addresses, and it has the
consistency property which is so desirable, as well as being faster.
I believe that with this patch the SNAT and DNAT targets behave in a way
like the SAME target and always use the same mapping in the --to range
for a given source IP address. However, when a range is specified,
different sources may use different mappings. But it won't be a dynamic
round robin, just a static hash. However I believe that when there are
many different source addresses it can achieve some kind of load balancing.
>>What about the BALANCE target ? It's in the man page, but I had never
>>heard of it.
> In iptables 1.3.6 BALANCE is not available (nor is it available in the 188.8.131.52
> source). Obsolete? And I fear that it would not help, because the problem is
> the missing round robin/load balancing in the Kernel.
I don't think so. Each target has its own code.
More information about the netfilter