Hello, On Sun, 11 Jan 2004, Harald Welte wrote: > As an example case where I would suspect problems: The packet could be > coming from a local socket, and the socket be bound to a specific > interface (sk->bound_dev_if). IMO, the real example is that the people use multipath routes and providing oif was the only way MASQUERADE to meet the netfilter and firewalling expectations of not changing the output device during hooks. OTOH, providing oif=0 is the valid approach for selecting the right route but as long as the above expectation exists there are two options for the users: - provide oif learned from the input route (as before the discussed change). May be in 99% of the setups it selects the right route. I think, we should use this, at least for 2.4. - use CONNMARK or similar functionality to keep the connection bound to its path. As long as CONNMARK is not a standard feature there is no safe way to use multipath routes with MASQUERADE and SNAT in the latest kernels. Even before this change it was risky to rely on the routing cache to keep NAT connections bound to its path in the multipath route - the cache entries expire. Regards -- Julian Anastasov <ja@ssi.bg> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
