On Tue, 4 Dec 2012, borg@xxxxxxx wrote: > Uh. Seems you didnt read whole email? > This is generaly a fix for wrong src addr in policy routing: > https://bugzilla.kernel.org/show_bug.cgi?id=16216 > > While using iptables MARK and ip rule fwmark works for forwarded > packets, this breaks localy generated packets making them > routed correctly but having wrong src addr. > This is because kernel first lookups routing table > to get src addr and then pass packet to netfilter. > In that stage is too late to do policy routing for localy > generated packets. > > This should be fixed, but unfortunately its not easy. But you want to give an ipset-specific answer to a generic issue: fwmark is independent of ipset. As far as I see, it's a chicken and egg problem: the kernel must lookup the routing table first to select a source address and that can't be changed later by policy routing. In the bugzilla thread Ambroz Bizjak suggested using SNAT. Why doens't it a good solution? The application could also be started in a net namespace. > PS: Does IPSET have any mailing list or contacts? I couldnt > find them.. Thats why I mailed netfilter-devel. netfilter-devel is perfect for ipset. [Please don't top post.] Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
