On Tuesday 2010-06-22 09:20, Patrick McHardy wrote: >>>>> >>>> If veth0 has 10.0.0.0/24 and veth1 has 10.0.0.0/24, >>>> wouldn't Linux's ARP mechanism already be confused, in >>>> that it only sends ARP to the first network matching >>>> the subnet? >>>> >>> This patch is intended to be used *without* looping packets through >>> veth. But good point, I chose that example to simplify things, the >>> use case I'm interested in is actually tunnels. Apparently it wasn't >>> the best possible example :) >>> >> >> Now you completely lost me. Without separate namespaces and veth >> to exchange packets between them, >> >> # ip a >> 8: iptnl1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state >> UNKNOWN link/ipip 5.6.7.8 peer 1.2.3.4 >> inet 10.0.0.1/24 scope global iptnl1 >> 9: iptnl2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state >> UNKNOWN link/ipip 5.6.7.8 peer 9.10.11.12 >> inet 10.0.0.1/24 scope global iptnl2 >> >> # ip r >> 10.0.0.0/24 dev iptnl1 proto kernel scope link src 10.0.0.1 10.0.0.0/24 dev >> iptnl2 proto kernel scope link src 10.0.0.1 >> will lead to exclusive delivery to iptnl1 for packets that originate >> from the router itself. >> ... >> Seems sufficient. >> > > How is that sufficient for talking to both networks? Well I would like to know that. I've just been trying to set this up in practice with three VMs, and somewhere after the nat table the routing table seems to drop packets and I can't figure the hell out why. Damn there's no TRACE target in routing, nor are there statistics. *raw :PREROUTING ACCEPT [26388:4065836] :OUTPUT ACCEPT [26:2742] -A PREROUTING -i iptnl6 -j CT --zone 6 -A PREROUTING -i iptnl13 -j CT --zone 13 COMMIT # Completed on Mon Jun 28 16:38:13 2010 # Generated by iptables-save v1.4.8 on Mon Jun 28 16:38:13 2010 *nat :PREROUTING ACCEPT [45485:7326470] :INPUT ACCEPT [5:973] :OUTPUT ACCEPT [9:646] :POSTROUTING ACCEPT [9:646] -A PREROUTING -s 10.0.0.0/24 -d 10.0.1.0/24 -i iptnl6 -j NETMAP --to 10.0.0.0/24 -A PREROUTING -s 10.0.0.0/24 -d 10.0.1.0/24 -i iptnl13 -j NETMAP --to 10.0.0.0/24 -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -o iptnl6 -j NETMAP --to 10.0.1.0/24 -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -o iptnl13 -j NETMAP --to 10.0.1.0/24 COMMIT vestra:/proc/net # ip ru l 0: from all lookup local 32764: from all iif iptnl6 lookup 6 32765: from all iif iptnl13 lookup 13 32766: from all lookup main 32767: from all lookup default vestra:/proc/net # ip r l table 6 default dev iptnl13 scope link vestra:/proc/net # ip r l table 13 default dev iptnl6 scope link It really _should_ be enough to do that. (Yes, rp_filter=0, log_martians=1.) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
