[Firehol-support] Link Balancer, marks & NATed servers

Whit Blauvelt whit at transpect.com
Tue Nov 28 14:47:44 GMT 2017 

Hi Costa,

Thanks for the answer. So fwmarks can never be within packets? Or just
connmarks? Reading elsewhere. I get the impression that whereas connmarks
are only in the local kernel's connection tracking table, marks can also be
on packets. For instance the article, "Load balancing using iptables with
connmark"
(http://www.system-rescue-cd.org/networking/Load-balancing-using-iptables-with-connmark/)
says:

  The connmark target

  An ipfilter target is a module that runs an action. We will need both the
  MARK target to put a mark on a packet, and CONNMARK to manage the netfilter
  state table:

    -j MARK --set-mark: this action is used to write the fwmark on an IP
    packet. The value of the mark is given as a parameter of this action.

    -j CONNMARK --save-mark: this action is used to write the fwmark of a
    packet in the state table (from packet to state table)

    -j CONNMARK --restore-mark: this action is used to write the fwmark of
    the state table in the ip packet (from state table to packet)

This says marks can be either "on a packet" or in "the netfilter state
table." What might be ambiguous is whether "on a packet" is the same as "in
a packet." Or if it means "in a packet but stripped out before being sent on
the wire." If "on a packet" is neither "in the packet" nor in the state
table, where is it? Another table in the kernel? A sort of wrapper around or
extension on the packet that's stripped off as it's sent to the wire?

I just want to be clear on whether "marks never appear on the wire" is just
in the Link Balancer context, or a limitation of fwmarks in all uses.

Thanks,
Whit

On Tue, Nov 28, 2017 at 02:25:41AM +0200, Tsaousis, Costa wrote:
> Hi,
> 
> no, marks never appear on the wire. They are mainly a mechanism for building
> complex rules, within a single host.
> 
> Costa
> 
> 
> On Mon, Nov 27, 2017 at 4:59 PM, Whit Blauvelt <whit at transpect.com> wrote:
> 
>     Let me simplify this question: Are the marks that Link Balancer places on
>     packets at a gateway/firewall also utilizable by instances on the LAN, also
>     running Link Balancer, to route packets out back out through that
>     gateway/firewall, in a multiple gateway/firewall setup?
> 
>     Yes, I can engage in experiments to see. But it's always nice to know if
>     something's theoretically sound before stumbling through experiments.
> 
>     Thanks again,
>     Whit

More information about the Firehol-support mailing list