Patrick McHardy wrote:
Bill Davidsen wrote:
Still working on this problem, I have found what appears to be a bug.
The documentation seems to indicate that in a route definition if I have
"src x.x.x.x" it defines the outgoing IP address. I'm cautiously going
to say that doesn't seem to be the case.
I have these rules:
firewall2:root> ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup mail.in
32766: from all lookup main
32767: from all lookup 253
which should (do) send marked packets to the ruleset "mail.in" (historic
name, not related to incoming mail). And I have these routes defined:
firewall2:root> ip route show
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.47
64.65.253.0/24 dev eth1 scope link
192.168.12.0/24 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth2 src 192.168.1.47 metric 1
firewall2:root> ip route show table mail.in
default via 64.65.253.1 dev eth1 src 64.65.253.246
And if I run my multi-NIC tcpdump, I see that packets which are not
marked go out eth2, and those which ARE marked do in fact go out eth1 as
they should... but with the source IP of the default route, rather than
that specified in the mail.in definition. If I add
iptables -A POSTROUTING -t nat -o eth1 -m mark --mark 1 -j SNAT
--to 64.65.253.246
to the nat table, all of a sudden everything works. Note, this is the
simple two ISP case, running internal to my site, not the nasty one I
described originally (below).
So is the "src" portion of my table intended to set the source IP, or
did I misread the doc? And is that a bug or a feature?
Source address selection is done before the first packet is generated,
so the marks can't affect it. They just cause rerouting of the packet,
but don't change the source address afterwards.
So what is the source specification used for then? If it doesn't set the
source IP, (and it doesn't, I need an SNAT rule), and it doesn't force
that source IP out the designated NIC, (doesn't do that, that's why I
came up with all the MARK rules), what exactly does it do? Or is it just
for documentation?
--
bill davidsen <davidsen@xxxxxxx>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html