LARTC - May 2007 - Load balancing using connmark

Hi,

I''ve been implementing a load balancing solution using CONNMARK, based
on solution described by Luciano Ruete at [1]. Gracias por el post y por
apuntar en la dirección correcta Luciano!

Once implemented, I''ve found that due to some reason packets
aren''t
properly marked (or improperly remarked) and sent out using the wrong
interface. 

My topo setup is:

[82.123.136.74]: eth1 : mark:0x1 --\
                                    +--[FW BOX] -- eth0: 192.168.0.53
[217.146.74.82]: eth2 : mark:0x2 --/

Using conntrack tool, shows that after a while, it starts to appear
packets marked with 0x2 or 0x1 not comming from the proper source IP.
>> conntrack -L | grep mark=2 | grep ''82.123.136.74'';
conntrack -L |
grep mark=1 | grep ''217.146.74.82''

tcp      6 425543 ESTABLISHED src=192.168.0.178 dst=82.216.53.249
sport=1552 dport=443 packets=818 bytes=93471 src=82.216.53.249
dst=82.123.136.74 sport=443 dport=1552 packets=875 bytes=83909 [ASSURED]
mark=2 use=1
tcp      6 428681 ESTABLISHED src=192.168.0.177 dst=89.139.122.12
sport=2361 dport=443 packets=122 bytes=29381 src=89.139.122.12
dst=82.123.136.74 sport=443 dport=2361 packets=139 bytes=14120 [ASSURED]
mark=2 use=1

This is quite odd since solution proposed at [1] looks good. I''ll cite
it here for clarity (suppose I already have all ip rule stuff
installed):

iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

After giving a try during several days, I''ve found that another
firewall
solution, shorewall [2], implements built-in load balacing for free by
using the following set of instructions:

iptables -t mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK
--restore-mark --mask 0xFF

iptables -t mangle -A OUTPUT -m connmark ! --mark 0/0xFF -j CONNMARK
--restore-mark --mask 0xFF

iptables -t mangle -N routemark
iptables -t mangle -A PREROUTING -i eth1 -m mark --mark 0/0xFF -j
routemark

iptables -t mangle -A routemark -i eth1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth2 -m mark --mark 0/0xFF -j
routemark

iptables -t mangle -A routemark -i eth2 -j MARK --set-mark 2
iptables -t mangle -A routemark -m mark ! --mark 0/0xFF -j CONNMARK
--save-mark --mask 0xFF

After a bit of testing with the second solution, it seems to behave
better, doing all marking job at the PREROUTING and OUTPUT.

Did anybody find that some packages doesn''t get properly routed
according to the mark with the first solution? What you do think about
the second solution?

Cheers!

[1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
[2] http://www.shorewall.net


-- 
Francis Brosnan Blazquez <francis@aspl.es>
Advanced Software Production Line, S.L.

Francis Brosnan Blazquez wrote:
> Hi,
> 
> I''ve been implementing a load balancing solution using CONNMARK,
based
> on solution described by Luciano Ruete at [1]. Gracias por el post y por
> apuntar en la dirección correcta Luciano!
> 
> Once implemented, I''ve found that due to some reason packets
aren''t
> properly marked (or improperly remarked) and sent out using the wrong
> interface. 
> 
> <snip>
> 
> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.

Peter

Francis Brosnan Blazquez wrote:
> Hi,
> 
> I''ve been implementing a load balancing solution using CONNMARK,
based
> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> apuntar en la dirección correcta Luciano!
> 
> Once implemented, I''ve found that due to some reason packets
aren''t
> properly marked (or improperly remarked) and sent out using the wrong
> interface. 
> 
> <snip>
> 
> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
 
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
 
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.
 
Peter
 
Disagree with Peter. The marking in postrouting table is CONNMARK. This
is for marking the connection, which has already had a route decided for
it, so that all packets of the connection passes through this interface.
This marking is done for packets with NEW state, see the check for
mark==0 in the prev. line. The restore mark in PREROUTING will restore
the connmark and route the subsequent packets.
This approach will work, but you need some sort of stateful-ness in
netfilter.
 
The second point in Brosnan Blazquez’s mail about shorewall: They seem
to be doing Policy Routing, not real load balancing.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

On closer look, I am wrong about shorewall. It seems to be a different
approach to load balancing. They connmark the incoming packets from WAN,
rather than outgoing packets. I think it should work well, but I wonder
why this approach is not popular. There must be some drawback to it. I
can’t think of one,though.
 
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Salim S I
Sent: Thursday, May 10, 2007 2:15 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load balancing using connmark
 
Francis Brosnan Blazquez wrote:
> Hi,
> 
> I''ve been implementing a load balancing solution using CONNMARK,
based
> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> apuntar en la dirección correcta Luciano!
> 
> Once implemented, I''ve found that due to some reason packets
aren''t
> properly marked (or improperly remarked) and sent out using the wrong
> interface. 
> 
> <snip>
> 
> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
 
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
 
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.
 
Peter
 
Disagree with Peter. The marking in postrouting table is CONNMARK. This
is for marking the connection, which has already had a route decided for
it, so that all packets of the connection passes through this interface.
This marking is done for packets with NEW state, see the check for
mark==0 in the prev. line. The restore mark in PREROUTING will restore
the connmark and route the subsequent packets.
This approach will work, but you need some sort of stateful-ness in
netfilter.
 
The second point in Brosnan Blazquez’s mail about shorewall: They seem
to be doing Policy Routing, not real load balancing.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

El jue, 10-05-2007 a las 16:01 +0800, Salim S I escribió:
Hi Salim,

Thanks for your reply,
> On closer look, I am wrong about shorewall. It seems to be a different
> approach to load balancing. They connmark the incoming packets from
> WAN, rather than outgoing packets. I think it should work well, but I
> wonder why this approach is not popular. There must be some drawback
> to it. I can’t think of one,though.
I think the main advantage of shorewall solution is that it applies
connmark to incoming packets from the wan as you point, leaving load
balancing to outgoing connections to the main table.

In any case, with this second solution I don''t see wrong routed
packages
on wan interfaces using tcpdump, whereas with the first solution I do.
More testing is required.

Regarding to your previous reply, can you elaborate more on "...This
approach will work, but you need some sort of stateful-ness in
netfilter..."

Cheers!

-- 
Francis Brosnan Blazquez <francis@aspl.es>
Advanced Software Production Line, S.L.

hi people

Francis Brosnan Blazquez wrote:
> I''ve been implementing a load balancing solution using CONNMARK,
based
> After giving a try during several days, I''ve found that another
firewall
> solution, shorewall [2], implements built-in load balacing for free by
> using the following set of instructions:
did somebody try the shorewall solution with centos 4?

with centos 4 and the first solution i always had the problem, that it
routes correctly only for passing through connections (forwarded).
connections starting from the machine or hoing to the machine
(input/output chain) had exactly the same behaviour as you stated before.

i noticed with centos 4 that packets do not pass the prerouting magle
chain if going to the local host (passing the input filter chain
thereafter). therefore certainly the mark will not be restored and there
will be no influence on the routing decision.
someone noticed similar behaviour?

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter@endian.com

Salim S I wrote:
> Francis Brosnan Blazquez wrote:
> 
>> Hi,
> 
>> 
> 
>> I''ve been implementing a load balancing solution using
CONNMARK, based
> 
>> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> 
>> apuntar en la dirección correcta Luciano!
> 
>> 
> 
>> Once implemented, I''ve found that due to some reason packets
aren''t
> 
>> properly marked (or improperly remarked) and sent out using the wrong
> 
>> interface. 
> 
>> 
> 
>> <snip>
> 
>> 
> 
>> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> 
>> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> 
>> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> 
>> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
> 
>  
> 
> This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
> 
> time you do your marks and stuff the kernel has _already_ assigned a
> 
> packet to an interface, and you can not alter this anymore.
> 
>  
> 
>> After a bit of testing with the second solution, it seems to behave
> 
>> better, doing all marking job at the PREROUTING and OUTPUT.
> 
>  
> 
> This is flawed too. OUTPUT suffers from the very same problem as
> 
> POSTROUTING - by the time the packets hit the NF stack the process has
> 
> already bound itself to an interface, which you can not change anymore.
> 
>  
> 
> Peter
> 
>  
> 
> Disagree with Peter. The marking in postrouting table is CONNMARK. This
> is for marking the connection, which has already had a route decided for
> it, so that all packets of the connection passes through this interface.
> This marking is done for packets with NEW state, see the check for
> mark==0 in the prev. line. The restore mark in PREROUTING will restore
> the connmark and route the subsequent packets.
> 
> This approach will work, but you need some sort of stateful-ness in
> netfilter.
> 
Connmark is exactly the statefullness you are talking about. The problem
is that the marks by themselves do not mean anything. You mark packets
and expect iproute to classify the packet in the correct routing table
etc. CONNMARK is invisible to iproute - this is why you have only
--save-mark and --restore-mark, and the rest of the rules deal with real
MARKs.

Further you (and the OP) seem to be confused by a mix of routing tasks.
In the case of _forwarded_ traffic, you need to make sure that all
packets within a connection leave to WAN over the same interface, and
are SNATed to the same ip, so that they will come bak the same
interface. The SNATting is trivial (as it can be done in POSTROUTING
only), but you need to set all marks before the routing takes place
(which is anywhere _but_ POSTROUTING). You might mark the connection
with the proper CONNMARK. and subsequent packets might get routed
correctly, but the _first_ packet (the one that you use to set the mark)
is already assigned to an interface, and there is nothing you can do
about it.

In the case of _local_ traffic - it becomes even trickier. The problem
is that when sockets are created they already have a source IP (the
kernel determines that by looking at the default routing table, your
marks do not exist yet). So since you can not alter the socket binding,
the only way to make it leave on a different interface is by treating it
as a forwarded connection and performing NAT on it. It is arguable if
NATting locally originating connections is a good idea, but it can be
done in OUTPUT just like it is done for forwarder connections in
PREROUTING.

I hope this clarifies things a bit, feel free to point out any
inconsistencies you may find.

Peter

Peter Rabbitson wrote:
> ...
> In the case of _local_ traffic - it becomes even trickier. The problem
> is that when sockets are created they already have a source IP (the
> kernel determines that by looking at the default routing table, your
> marks do not exist yet). 
This is misleading - it will happen only when the application does not
request a specific ip/interface to bind to. Only then the kernel default
table is consulted, and the best interface is determined based on the
destination that is supplied on socket creation.

Let me explain why the marking is done in POSTROUTING.

The first packet of any connection get routed by the multipath routing
entry. This happens AFTER PREROUTING, as you know. And this is what we
want, letting the kernel decide based on the weights. (some people do
think that we shouldn''t let multipath decide routing, but thatz a
different story).

So where can this packet be marked? Obviously in POSTROUTING (so that
local pkts also can be caught). We mark it and save it.(connmark).The
mark is decoded by the chosen interface. (eg:-o WAN1 --set mark 1,-o
WAN2 --set-mark 2)

In PREROUTING, there is a restore-mark. You see

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark.

If this packet belong to a connection that has already sent a
packet,this will restore the mark set in POSTROUTING. Then it will be
routed by the corresponding routing table.(wan1 table lookup mark1 and
wan2 table lookup mark2)
If it is a new pkt, it will be routed by multipath routing
statement,since no mark exists.

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Peter Rabbitson
Sent: Thursday, May 10, 2007 6:51 PM
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load balancing using connmark

Salim S I wrote:
> Francis Brosnan Blazquez wrote:
> 
>> Hi,
> 
>> 
> 
>> I''ve been implementing a load balancing solution using
CONNMARK,
based
> 
>> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> 
>> apuntar en la dirección correcta Luciano!
> 
>> 
> 
>> Once implemented, I''ve found that due to some reason packets
aren''t
> 
>> properly marked (or improperly remarked) and sent out using the wrong
> 
>> interface. 
> 
>> 
> 
>> <snip>
> 
>> 
> 
>> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> 
>> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> 
>> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> 
>> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
> 
>  
> 
> This is wrong. POSTROUTING is exactly what is is _POST_ routing. By
the
> 
> time you do your marks and stuff the kernel has _already_ assigned a
> 
> packet to an interface, and you can not alter this anymore.
> 
>  
> 
>> After a bit of testing with the second solution, it seems to behave
> 
>> better, doing all marking job at the PREROUTING and OUTPUT.
> 
>  
> 
> This is flawed too. OUTPUT suffers from the very same problem as
> 
> POSTROUTING - by the time the packets hit the NF stack the process has
> 
> already bound itself to an interface, which you can not change
anymore.
> 
>  
> 
> Peter
> 
>  
> 
> Disagree with Peter. The marking in postrouting table is CONNMARK.
This
> is for marking the connection, which has already had a route decided
for
> it, so that all packets of the connection passes through this
interface.
> This marking is done for packets with NEW state, see the check for
> mark==0 in the prev. line. The restore mark in PREROUTING will restore
> the connmark and route the subsequent packets.
> 
> This approach will work, but you need some sort of stateful-ness in
> netfilter.
> 
Connmark is exactly the statefullness you are talking about. The problem
is that the marks by themselves do not mean anything. You mark packets
and expect iproute to classify the packet in the correct routing table
etc. CONNMARK is invisible to iproute - this is why you have only
--save-mark and --restore-mark, and the rest of the rules deal with real
MARKs.

Further you (and the OP) seem to be confused by a mix of routing tasks.
In the case of _forwarded_ traffic, you need to make sure that all
packets within a connection leave to WAN over the same interface, and
are SNATed to the same ip, so that they will come bak the same
interface. The SNATting is trivial (as it can be done in POSTROUTING
only), but you need to set all marks before the routing takes place
(which is anywhere _but_ POSTROUTING). You might mark the connection
with the proper CONNMARK. and subsequent packets might get routed
correctly, but the _first_ packet (the one that you use to set the mark)
is already assigned to an interface, and there is nothing you can do
about it.

In the case of _local_ traffic - it becomes even trickier. The problem
is that when sockets are created they already have a source IP (the
kernel determines that by looking at the default routing table, your
marks do not exist yet). So since you can not alter the socket binding,
the only way to make it leave on a different interface is by treating it
as a forwarded connection and performing NAT on it. It is arguable if
NATting locally originating connections is a good idea, but it can be
done in OUTPUT just like it is done for forwarder connections in
PREROUTING.

I hope this clarifies things a bit, feel free to point out any
inconsistencies you may find.

Peter

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Is there a good [single?] document explaining all of this and more?
What the kernel does in POST vs PRE with respect to iproute2 and
netfilter with CONNMARK and etc?

Thank you,
David

Salim S I wrote:
> Let me explain why the marking is done in POSTROUTING.
> [...]

Salim S I wrote:
> Let me explain why the marking is done in POSTROUTING.
> 
> want, letting the kernel decide based on the weights. (some people do
> think that we shouldn''t let multipath decide routing, but thatz a
> different story).
I apologize, as I am one of these people, and subsequently assumed the
OP wanted this. In this light I agree with Salim. On an unrelated note
the OP should be aware that letting multipath do the balancing is
impractical (i.e. does not work) in real life scenarios, but this indeed
is a topic for a separate thread.