The nth module for iptables.
This nifty gadget lets you match the nth packet to a rule.
What for? Well, suppose you have two links, and have implemented split access as per the LARTC
According to the same LARTC, you can implement per-route load balancing by creating a multipath route.
That works well... as long as the traffic originates on the firewall itself (say, using a Squid).
If the traffic comes from a SNATd subnet, it breaks, because you SNAT (or MASQ) it to one of your external IPs, and then it's routed only through that link, for obvious reasons 1
You can route based on original source IP, so you can tell half the boxes to go left, and the other half to go right.
And then if the client boxes are used unevenly, your balancing sucks.
So, what's the solution? Match every second state NEW packet over each link.
Since iptables's MASQ or SNAT will make the state ESTABLISHED,RELATED packets follow the leader, each connection alternatively routes left or right.
While not 100% right (you can be unlucky and redirect all long connections on the same link), it is much better than the simple alternatives, and much simpler than the better alternatives.
So it's custom-kernel-compiling time, and I hate doing that. Really, this patch seems simple. Why is it not in?
If you routed it through the other, your ISP would reject the packets, because the origin IP is foreign to him.