Re: [LARTC] Policy routing and strange packets traversing.

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

	Hello,

On Sun, 2 Mar 2003, Tomasz Wrona wrote:

> > 	This looks a bit strange, it is not needed:
> >
> > > # To be sure that traffic goes to proper gateway
> > > 22:     from 1.1.1.30 lookup 1
> > > 22:     from 2.2.2.66 lookup 2
>
> Why, It's the same what You pointed me below... ?

	OK, I overlooked it

> > > 30:     from all to 1.1.1.29 lookup 1
> > > 30:     from all to 2.2.2.65 lookup 2
>
> OK, but I process main table after all manual typed rules... but never
> mind its not issue ;)

	It is not good to put table main after other rules, it can
be used only to override route in table main. For example, why
traffic from 1.1.1.29 to some internal IP should go to the ISP
gateway (table 1)?

> > 	Don't expect from Netfilter to use correctly the routing,
> > you have to avoid using "iif" when playing with Netfilter. Just
> > use "from XXX".
>
> Hmmm... I  cant understand what has netfilter to do with "iif" parameter ?
> What I want to achieve is to catch all incoming traffic on eth1..

	There are some places that can use output rerouting where
the iif parameter is ignored. And second, the normal kernel relies
on the routing cache to keep persistence for each NAT connection to
its selected nexthop. There is no guarantee that it will work for the
whole connection life.

> > 	but you will need rules "from all to all" for
> > proper default route selelection and source IP autoselection for
> > the masquerading.
> >
> Balance table catches all traffic from LAN to inet.Thats all what I need.

	It does not work all the time.

> > http://www.ssi.bg/~ja/#routes
> >
> > dgd-usage.txt contains example for rules and routes you can use.
>
> Hmm... Maybe I am wrong but It's related to NAT multiple gateways on
> single interface not on different what I have...

	Not exactly true, it is related to making sure each NAT
conn is bound to its allowed path(s), no matter how many interfaces
are used. Selecting different nexthop should be allowed only if
it is alternative allowed from the routing rules.

> There shouldn't be problem what I read in this article.

	Then why you see traffic to the wrong gateway?

Regards

--
Julian Anastasov <ja@xxxxxx>
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux