Hello, bsilva a écrit :
At my job, we use iptables commands to mark packets to use alternate routing tables. Basically, we're using this to have two default gateways, some traffic types go out interface A to one gateway, other types of traffic go out interface B to a second gateway. The issue is that by the time the packet gets to the routing table, the source IP address has already been set and we get the packets exiting interface B, but with the source IP address of interface A.
Indeed, this is a common issue.
The only way we've found to correct this is to have the application that generates the traffic bind to the particular source IP address of the interface that it's eventually going to use. Is there a better way to do it?
You can use SNAT or MASQUERADE, but IMO having the application bind to the desired source address is a cleaner way when applicable. NAT does not work well with all kinds of traffic. Besides, source-based routing is easier than mark-based routing, as it does not need iptables rules.
I see this nice box on Jan Engelhardt's Packet Flow graph labeled "reroute check", but I don't see a way to invoke it. I was hoping that adding a "src 123.123.123.2" parameter to the route statement would invoke reroute, but that doesn't seem to happen. Or is the "reroute check" only used in NAT cases?
The reroute check just updates the routing decision due to an address translation or a mark set in the OUTPUT chains. The "src" option in a route is used only in the first routing decision before the OUTPUT chains, when the packet is created without a defined source address. A routing decision does not change the defined source address.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
