Marco Gaiarin <gaio@xxxxxxxxx> wrote: >> Why the interface need to be in 'default route'? Thanks. > >As sugested by a private reply, i've disabled 'rp_filter' and packet >flow correctly. > >AFAI've understood, packet get routed correctly to the intended >interface, but when reply come back the reverse path filter interpret >it as 'impossible' (because there's no a forward route, and this is >true indeed), and filter it away. > > >There's some 'smarter' way, or fine-grained way, or i have to disable >rp_filter as the only option? Another possibility is that, because you're using fwmark in the routing, you're running afoul of the src_valid_mark sysctl. By default (src_valid_mark = 0), fwmark is not checked when performing rp_filter reverse path route lookups. Enabling net.ipv4.conf.*.src_valid_mark will cause the fwmark to be utilized for the reverse path lookup. -J --- -Jay Vosburgh, jay.vosburgh@xxxxxxxxxxxxx
