Policy routing issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm having an unusual problem with a Policy Routing setup.  I have a
combination of IPtables and Policy Routing rules that force certain
protocols out one interface and other protocols out the other interface.
The problem is that SNMP traps are exiting the correct interface, but
with the IP address of the other interface!

Furthermore, the situation only occurs if the destination is not local.
If the destination is local, the packet exits the correct interface with
the correct source IP.  If the destination is via a gateway, then the
packet exits via the correct interface, but with the wrong source IP.

I'm at a loss.  The rules and routes all appear to work correctly, it's
just the final assignment of the source IP that seems to be wrong.  It
appears to me that I've found a bug in the kernel, but I'm not sure.  Any
clues or further things to look at would be very helpful.


Thanks in advance,
Brad

---------------------------------------------------

I'm running kernel 2.6.16.55 on a custom distribution.

Here's the route rules and route tables: (I've simplified the setup for
this problem)

$ iptables -L -t mangle
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
MARK       tcp  --  anywhere             anywhere            tcp dpt:162
MARK set 0x1

$ ip rule list
0:	from all lookup 255
2000:	from all fwmark 0x1 lookup 1
32766:	from all lookup main
32767:	from all lookup default

(I know that route table 1 is being selected since I can change these
routes and the result changes as expected)
$ ip route list table 1
192.168.105.0/24 dev bond2  scope link  src 192.168.105.79
default via 192.168.105.6 dev bond2  src 192.168.105.79

(note that even though the route specifies a "src 192.168.105.79" and
the cache entry shows the correct "via" address, the "from" address is
192.168.123.79!)
$ ip route list cache
....
192.168.100.254 from 192.168.123.79 via 192.168.105.6 dev bond2
    cache  (null) 1500 ssthresh 1460 advmss 64
....





--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux