Konstantin Ushakov wrote:
Netfilter team,
we use netfilter under linux kernel 2.4.31 and have the problem
described below.
!Note, that it can be easily reproduced for latest kernels.
- we want to connect to some on tcp port #80
- in the kernel and in some time we get to ip_route_output_slow function
- in this function kernel searches for route for the packet:
if (fib_lookup(&key, &res)) {
res.fi = NULL;
if (oldkey->oif) { <- oif is zero at this
point, so we miss that "if"
......
}
...
err = -ENETUNREACH;
goto out;
}
It fails to find one as we don't have fwmark set for the packet and
there is not route for packets without fwmark (see configuration
attached). So, ENETUNREACH is returned and the packet fails to be sent.
In fact the packet could be routed
correctly, but this would happen in ip_build_xmit function in netfilter
hook for LOCAL_OUT packets.
Questions:
- is it a bug or it's a deliberate decision to have such behaviour?
- is there any known add-hock solution for the problem?
Its a consequence of how routing by fwmark works. Its not perfect,
but I don't see a better solution since the initial routing takes
place before we even have a packet.
Just add a route to the dummy device or something like that, that
should make sure you don't get ENETUNREACH.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
