Martijn van Oosterhout wrote:
On Thu, Jun 15, 2006 at 12:24:01AM -0400, Bill Davidsen wrote:
With IP bound to NIC, I can just SNAT all SYN packets to http/ftp ports
to originate from the desired IP, and get implicit routing via the right
NIC. With the default routing based on destination I go into the mangle
table and start MARKing packets, creating source routing tables and
rules, etc. All of which is very time consuming and gets amazinly ugly
when you add routing for multiple VPN connections, etc.
Wait, I'm confused. There are systems out there that use the Iface
column in the routing table as a selector to determine which route to
use? I was always under the impression that the interface was an output
of the routing table not an input.
Also source routing doesn't require any firewall rules or marking of
packets.
If you can show me another way to send all tcp packets to certain ports
out one interface and all other packets out another, given that both
interfaces connect to a different ISP, have full connectivity, and are
default routes, I would be grateful. The packet marking was suggested to
me by David Miller some years ago, since I need to route using port
addresses to determine source IP and interface used.
I'm clearly not alone, you rejected various patches for 2.4 aimed at
various parts of this or partial solutions, and only the ARP changes
seem to be present. People who need this capability don't care if it's
default, we just want it to be simpler to use than what's there. Hope
that's clearer.
I think the current system is clear and simple. I'm not sure I
understand how your suggestion would work. Where does the interface
play a role in route selection?
Only routes via an interface which has the source IP are considered,
otherwise routing is as it currently exists. In addition to selecting a
route using "can I get there from here" rules, I want to rejects
selection of any interface without the source IP configured.
NOTE: this only becomes a problem when there are two (or more) default
routes, and the optimal interface is selected for reasons other than
just connectivity. Some user in Europe had similar problems, where one
ISP billed by the bandwidth and another by byte count. One of those was
frame relay, but I last visited this years ago and don't have the
details online (if at all).
The 2.4 patch was similar to the way ARP response is controlled, but
that patch is backed up to DC600 tape and would take a lot of effort to
find and port to 2.6. I'd love an "official" patch to do this, so it
could become part of the mainline kernel.
Did I explain it better this time?
--
bill davidsen <davidsen@xxxxxxx>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
