Hello! > This means that ip_route_output_key() returns a route with a different > outgoing interface than the skb->dst->dev of our to-be-masqueraded > packet. =20 > > Why was it wrong to specify skb->dst->dev->ifindex of the previous > 'real' routing decision as key to our current routing decision? Because in the situtation when ip_route_output_key() with oif=0 returns result different of previous ip_route_output_key() you get undefined result. I expected that you do ip_route_output_key() on _rewritten_ address, in this case you have to _drop_ packet if routing contradicts to firewalling rules or to send the packet via that interface which routng requires. You cannot just blindly send packet to some random interface, when firewalling rules are illegal. > As an example case where I would suspect problems: The packet could be > coming from a local socket, and the socket be bound to a specific > interface (sk->bound_dev_if). This is right observation. F.e. you could use skb->sk ? skb->sk->bound_dev_if : 0. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
