On Fri, 26 Apr 2002, Jonathan Hutchins wrote:

> > -----Original Message-----
> > From: Gerald Combs [mailto:gerald@ethereal.com]
> 
> > Could someone who has a system running iptables with NAT cat
> > /proc/net/ip_conntrack and tell me what information is displayed?
> 
> It's similar to netstat -M on an ipchains box, in fact there's a perl script
> netstat-m that gives a tabular view, 
> 
> Proto Local Address                 Foreign Address               State
> 
> Resolves the IP numbers and displays actual ports.
> 
> Here's a raw line from /proc/net/ip_conntrack:
> 
> tcp      6 105145 ESTABLISHED src=192.168.5.3 dst=64.76.84.140 sport=4655
> dport=6346 src=64.76.84.140 dst=65.26.52.58 sport=6346 dport=4655 [ASSURED]
> use=1

Cool - this and the output that Hal sent suggests that it iptables should
track connections across interfaces.  After looking through the docs on
netfilter.samba.org, I ran across something called the "random patch"
(http://netfilter.samba.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.12)

Assuming that iptables can correctly NAT on multiple interfaces as the
ip_conntrack output suggests, and that the random patch works with the NAT
code it should be possible to create rules that send packets out interface
"a" some percent of the time, else send packets out interface "b", all the
while clamping TCP connections to the correct interface.

It should also be possible to change the percentage dynamically, so that
load balancing and failover could be automated.

Anybody wanna bring some equipment to net next meeting to put this to the
test?

> An interesting note, that connection has not been up for days, node .3 has
> been shut down several times, so it appears that there's a missing cleanup
> mechanism.  
> 
> 
>