Salim S I wrote:
NATing is done with MASQUERADE, not SNAT, I use another MARK for it,
but
in essence it is
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE
In addition, there are several other MARKs for policy routing. They
have
their own routing tables also. But at present, they are all empty.
This is the part I definitely do not like. First of all - wht
SNAT/MASQUERADE _all_ traffic? You should do this for forwarder
traffic
only. Like so:
Yes, in fact, this is what I do. I mentioned I use MARK for
MASQUERADing, but forgot to elaborate. That particular MARK is set for
forwarded packets only.
Also you mention that there are "other marks" , which means that you
might very well be overwriting marks as you go. A packet/connection
can
have only _one_ mark value at any time, no more no less (a 0x0 is
still
a mark)
I use --or-mark in iptables, so that I can use bitwise masks. The 'ip'
tool supports bit masks too.
Well then you are certainly ahead of the game. Still I would suggest to
avoid the complexity of bit mask marks - it is rather error prone and is
pretty hard to maintain, while the same result can usually be achieved
by other means (like in my SNAT example). As far as your original
problem goes - it seems like a mark is getting eaten away or is not set
somewhere in the first place. I have not had any problems like the ones
you describe.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
