Home / server / Questions / 237867
Accepted
exa
Asked: 2011-02-21 07:52:18 +0800 CST

IPTables Match for hashing IP addresses

  • 772

So I'm trying to do roughly this

http://wiki.mikrotik.com/wiki/PCC

on Linux.

To explain a little further: PCC just takes, say, source address of the packet, hashes it, divides the hash by some number, and if the remainder is equal to some other number, it makes a rule match.

I'm actually using this to mostly randomly divide my network into several almost-equally-big groups. More specifically, six such groups would look like this:

Group 1: pcc_hash(source IP) % 6 = 0
Group 2: pcc_hash(source IP) % 6 = 1
... etc

The groups are then given some kind of common resource to share (say, bandwidth, or public IP address) that they don't like to change very often (esp. with public IP address).

My question is that if there is some good method to divide the network into any number of stochastically-equal subnets using some similar, preferably easy iptables rules.

I've succeeded in splitting the network into powers of two using u32 (2^n networks just by matching last n bits of source IP address). But some randomness would be great too, and having a network split into anything like exact thirds is impossible to do with this. Moreover, mikrotiks are essentially linux-based, so there has to be a way to do that :D

Is someone here aware of a good method, or at least of some good u32 documentation that would make this possible?

Thanks in advance

-mk

linux iptables

2 Answers

  1. Best Answer

    Moreover, mikrotiks are essentially linux-based, so there has to be a way to do that :D

    Well, then Mikrotik™ has to go GPL or be sued for going not whilst selling a product based on GPLed software. In case they're GPLed already, you can look into the source code. In case they're not — help'em. ;-)

    I doubt there's a module like this available for Netfilter, but I think it wouldn't be too hard to write it using any similar as an example.

    having a network split into anything like exact thirds is impossible to do with this.

    Why makes you think so? Suppose you're masking with 0xF [0..15]; what then makes you unable to split it into ranges [0..5], [6..11], [12..15]? Yeah, not preciselly but quite close to 1/3. The wide range you'duse, the closer division you'd get.

    • 0

  2. As an alternative to using netfilter's u32 module, which, as you've found, is pretty much undocumented, you could use the nfnetlink_queue subsystem of netfilter. The idea is that you send packets through a userspace process (most likely a daemon) that examines the packets, MARKs them as it sees fit, and then returns them to netfilter for further processing.

    The mechanics of this are relatively straightforward. The iptables QUEUE and NFQUEUE targets put selected packets on a queue, and a userspace process takes the packets from there via the nfnetlink_queue API (documentation here). As each packet returns to netfilter from userspace, the MARK set by the process can be used to direct packets through further processing (by, say, iptables or tc).

    Caveat: I have never actually implemented a solution using netlink's queue module, so I have no first hand experience regarding its potential robustness, security, or performance. Obviously, a userspace daemon through which network packets flows would need to be developed with a fair amount of care.

    • 0