On 10/4/19 2:27 AM, Vieri Di Paola wrote:
> Hi,
>
> My previous question about which chain/table to use for TEE on the
> "out interface" is because if I only use this:
>
> IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.13 -
> !udp
>
> then I have no network performance issues.
>
> However, if I use the following in mangle:
>
> IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.13 -
> !udp
> IPTABLES(TEE --gateway $IPS_SOC_PROBE):T -
> ${IF_LAN}.13 !udp
>
> then I'm starting to see trouble.
> I have sporadic ping failures between hosts in ${IF_LAN} and ${IF_LAN}.13.
> The amount of traffic is really "not that much", way below the hardware limit.
> Furthermore, there are only 3 hosts behind ${IF_LAN}.13.
> I'm pretty sure that if I increase the number of hosts/servers behind
> ${IF_LAN}.13 and only set the first rule (-i ; PREROUTING) then I will
> not have any network issues.
> I am under the impression that the POSTROUTING rule is the cause of
> what I'm seeing.
> Switching to FORWARD (:F) instead of POSTROUTING (:T) seems to yield
> less performance issues, but I'm just getting to this conclusion by
> observing continuous ping results in different time frames. It's not a
> thorough analysis.
>
> Why do you think this could be?
> No idea... I've never used TEE -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
