Hello, ulmo@xxxxxxxxx a écrit :
The software in question has the capability to bind to specified addresses, but not to send packets out over specified interfaces, which is necessary.
It is easy to do source address-based routing. ip rule from <address> lookup <table>
iptables -t mangle -A OUTPUT -m owner --uid-owner asterisk -j MARK --set-mark 42 && iptables -t nat -A POSTROUTING -o $dev -m mark --mark 42 -j SNAT --to-source $ifaceaddr && ip rule add fwmark 42 table 42 && ip route add default via $gw dev $dev table 42 To wit, all the above works, except that when the packets come back, the process in question doesn't receive them. tcpdump shows everything working as desired up to that point: the packets go out, they get responses which come back. The disconnect is somewhere between the return packets coming back and them being put into the process's connection as desired inside the OS, I'm pretty sure.
Check your iptables filtering rules, and that source validation by reverse path filtering is disabled on the alternate interface (/proc/sys/net/ipv4/conf/<interface>/rp_filter=0). It is disabled by default in the kernel, but startup scripts in some distributions enable it.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
