Re: [A BUG?]: routing with multiple default routes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Patrick McHardy wrote:

Bill Davidsen wrote:

Still working on this problem, I have found what appears to be a bug.
The documentation seems to indicate that in a route definition if I have
"src x.x.x.x" it defines the outgoing IP address. I'm cautiously going
to say that doesn't seem to be the case.

I have these rules:

   firewall2:root> ip rule show
   0:      from all lookup local
   32765:  from all fwmark 0x1 lookup mail.in
   32766:  from all lookup main
   32767:  from all lookup 253

which should (do) send marked packets to the ruleset "mail.in" (historic
name, not related to incoming mail). And I have these routes defined:

   firewall2:root> ip route show
   192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.47
   64.65.253.0/24 dev eth1  scope link
   192.168.12.0/24 dev eth0  scope link
   169.254.0.0/16 dev eth1  scope link
   127.0.0.0/8 dev lo  scope link
   default via 192.168.1.1 dev eth2  src 192.168.1.47  metric 1
   firewall2:root> ip route show table mail.in
   default via 64.65.253.1 dev eth1  src 64.65.253.246

And if I run my multi-NIC tcpdump, I see that packets which are not
marked go out eth2, and those which ARE marked do in fact go out eth1 as
they should... but with the source IP of the default route, rather than
that specified in the mail.in definition. If I add

    iptables -A POSTROUTING -t nat -o eth1 -m mark --mark 1 -j SNAT
   --to 64.65.253.246

to the nat table, all of a sudden everything works. Note, this is the
simple two ISP case, running internal to my site, not the nasty one I
described originally (below).

So is the "src" portion of my table intended to set the source IP, or
did I misread the doc? And is that a bug or a feature?



Source address selection is done before the first packet is generated,
so the marks can't affect it. They just cause rerouting of the packet,
but don't change the source address afterwards.
So what is the source specification used for then? If it doesn't set the source IP, (and it doesn't, I need an SNAT rule), and it doesn't force that source IP out the designated NIC, (doesn't do that, that's why I came up with all the MARK rules), what exactly does it do? Or is it just for documentation? 

--
bill davidsen <davidsen@xxxxxxx>
 CTO TMR Associates, Inc
 Doing interesting things with small computers since 1979

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux