Marco Gaiarin <gaio@xxxxxxxxx> wrote: > I was trying to setup some policy routing (using iptables fwmark) for > local traffic; i've just in place rules for forward traffic (in > PREROUTING chain, mangle table) and works as expected. > EG: > > ulysses:~# ip rule show > 0: from all lookup local > 32762: from all fwmark 0x30/0xf0 lookup FIBRA > 32763: from 192.168.178.2 lookup FIBRA > 32764: from all fwmark 0x20/0xf0 lookup ADSL2 > 32765: from 194.243.231.54 lookup ADSL2 > 32766: from all lookup main > 32767: from all lookup default > > and > > ulysses:~# iptables -t mangle -vnL PREROUTING > Chain PREROUTING (policy ACCEPT 278K packets, 175M bytes) > pkts bytes target prot opt in out source destination > 0 0 MARK tcp -- * * 0.0.0.0/0 173.194.79.109 multiport dports 25,465,587,993,995 mark match 0x0/0xf0 MARK xset 0x20/0xf0 > 0 0 MARK tcp -- * * 0.0.0.0/0 173.194.79.108 multiport dports 25,465,587,993,995 mark match 0x0/0xf0 MARK xset 0x20/0xf0 > 1488 311K MARK tcp -- * * 0.0.0.0/0 173.194.76.109 multiport dports 25,465,587,993,995 mark match 0x0/0xf0 MARK xset 0x20/0xf0 > 143 99494 MARK tcp -- * * 0.0.0.0/0 173.194.76.108 multiport dports 25,465,587,993,995 mark match 0x0/0xf0 MARK xset 0x20/0xf0 > [...] > > > I've tried to setup the same thing for local generated traffic but... > i've discovered that the 'routing decision' happen BEFORE iptables > tables (so, simply, fwmarks get ignored). > > It is true or i'm missing something? Thanks. Yes, however, mangle OUTPUT will re-route in case of fwmark change. (same for nftables 'route' basechain type)
