Re: IPR2 + Netfilter: stateful _routing_ on inbound DNAT, in dual-homedsetup?

[Patrick McHardy]

Frantisek Rysanek wrote:
> I know that Netfilter can do seamless stateful filtering of traffic 
> returning back through NAT. If I set up two uplinks with a NAT 
> "horizon split" on each of them, it shouldn't be a problem to route 
> traffic to either interface by merely modifying the default route 
> (for manual fail-over), or even by using multiple default routes with 
> IPR2 per-flow balancing mechanisms - and I won't create a routing 
> loop, as my public outbound source address will always belong to the 
> respective ISP, courtesy of the twin NAT outside's.  
> 
> Now what about *inbound* traffic? Suppose I've got a web server in 
> the DMZ. I'm wondering about possible fail-over setups with the two 
> ISP uplinks. I could set up two SNAT rules in the Netfilter's 
> PREROUTING table, one rule for each outside interface, both of them 
> pointing to the internal IP address of my web server. This would work 
> for the inbound packets, but how would the FW box deal with the 
> returning outbound traffic? I know that the Netfilter NAT can observe 
> the stateful information for filtering, but will IPR2 be able to 
> observe that information for *routing*? Not likely, I'd say. Never 
> heard of stateful *routing*. The necessary kernel guts could actually 
> be quite similar to the existing IPR2 per-flow balancing stuff, but I 
> doubt that this (dual-path stateful routing on NAT return traffic) 
> would work somehow seamlessly, out of the box, in the current 
> incarnation of IPR2+Netfilter... Obviously I can do without it, but 
> it would be a nice final touch :-)  
> 
> Any ideas are welcome :-)


You probably want CONNMARK combined with routing by fwmark.
That allows you to deal with NAT properly.

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html