Facing issue in ip6table rule for port based routing

[rahulbhansali24]

Hi,

Please help me on issue described below,
I have 4 machine setup, M1 -> M2 -> M3 | M4. And A laptop that can be reachable through both M3 and M4.

M2 has 2 NIC conected to M3 and M4. Now I want to divide the flow coming from M1 for laptop.
At M2, I have done following,
==============================
ip6tables -t mangle -A PREROUTING -p udp –dport 80 -j MARK –set-mark 12
echo 2 udp_flow >> /etc/iproute2/rt_tables
ip -6 rule add fwmark 12 table udp_flow
ip -6 route add $laptop-ip dev eth2 table udp_flow
==============================

Now if I send UDP traffic from M1 destined to Laptop IP, then if packet size is less then 1410 bytes then I can see complete UDP packets at M4 and successfully delivered to Laptop.

But if packet size > 1410 bytes, then fragmentaion happens and I can see only 1st fragmented packet at M4, not successive fragmented packets. I searched and find out that only 1st fragmented packet have information of UDP and destination port and hence marked properly and routed. Other fragmented packets have only UDP information not destination port, so not marked and dropped at M2.

Is there any solution or rule that can be applied so that all packets (whether fragmentation is there or not) can transfer to M4 only not M3 (destination port rule is compulsory) ?

If i put only UDP rule not including destination port then there is no issue with both cases with/without fragmentation.

Waiting for your helpful reply.



Thanks,

Rahul Bhansali
_________________
Rahul Bhansali

[truc]

Not sure about this one, but may be you can try to mark every packet from those connection with connmark, then mark packets from these connections having --destination $laptop-ip and rule them from there?
_________________
The End of the Internet!

[rahulbhansali24]

I did try with connmark, but only 1st fragment packet is getting marked not the subsequent fragmented packets.
_________________
Rahul Bhansali