top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

What is the "algorightm" that decides on the routing path?

+1 vote
216 views

I am asking to understand how to explain the decision of multi dual weight nexthop routes.

For example I do have a client with one router which load balance towards two other routers with NAT on them using two different IP addresses as outgoing IP.

so client 192.168.120.1 goes to 192.168.120.254 with the other leg at 192.168.130.254 and two next hops with 130.1 and 130.2 with another leg at the 192.168.10.X leg.

Now I want to make sure I understand how exactly it is decided with what nexthop will the packet be delivered towards?

There must be a "Static" way to calculate it.(ip? port? etc?)

posted Mar 7, 2014 by Seema Siddique

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

+1 vote

According to your experience what would be the best strategy to intercept traffic from one machine to another and process some (not all) request in a transparent way.

I explain, i have two machines:

192.168.1.1/24  192.168.1.2/24

All I want to do is to intercept traffic from a specific port(s), i.e. 4000/tcp and process it in a 'machine in the middle'.

192.168.1.1/24  machine-in-the-middle  192.168.1.2/24

The idea is that when 192.168.1.1 connects to 192.168.1.2:4000 then the machine in the middle will answer those requests, but the remaining traffic from 192.168.1.1 to 192.168.1.2 keep forwarding as is, and the same for the opposite direction.

+1 vote

I am trying to provide ability to intercept network connections originating from, and coming into Linux machines at various stages during the network connections life-cycle.

These stages include the following:
1. Just before an outbound network connection is made - i.e. when the first SYN packet is sent out.
2. Just after an outbound network connection is established.
3. Just after the connection is terminated.
4. When an inbound connection is established - i.e. when the first SYN packet is received from outside.

For above requirements, I was evaluating netfilter_queue to get the packets in the user-space and then decide the verdict whether to allow or drop the packet.

My main concern here is, that once I am done with netfilter_queue registration, I'll start getting all the packets. But I am only interested in control packets and don't want data packets to be sent to user-space.

So, my question is - Is there any existing way to tell the netfilter_queue kernel module to send only the control packets and not the data packets ? Also, would it be possible to get notified about the connection establishment and termination ?

If there is no ready way to achive above, then would it make sense to modify libnfnetfilter_queue and netfilter_queue kernel module to provide only control packets depending upon the config mode set,
i.e. introducing NFQNL_COPY_CONTROL_PACKET for copying only control packets to user-space ?

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

+2 votes

I’m recently developing a simple program using netfilter and I’m having a tricky problem. My program is mainly to log the src and dst ip address of all the packets. This program is run in the host machine. I have several virtual machines on that host machine.

The problem is, I can not capture the packets generated or destined at the VMs. All the VMs use bridging network to connect.

Can anyone help me?

...