Nikolaus Rath a écrit : > > I see. Out of curiosity: how is the source address selected when the > packet is created, and in which situation would the source entry in the > routing table become effective? The source address selection process is quite complicated and I'm not sure I know all the details. As far as I know, the selected source address is, in decreasing order of priority : - the source address specified by the sending process/socket - the source address specified in the routing table entry used for the destination - the address of the output interface matching the destination prefix of the routing table entry - the address of the output interface - any other suitable address of any other interface (i.e. not a loopback address if the destination is not local) >> Possible workarounds : >> - Add a route on ebox to let it know that 192.168.17.47 is reachable >> through rath. My favourite choice. > > Yes, that would be the simplest solution. But the problem is that this > address varies depending how and where vostro got its connectivity. Or > did you mean something other than a static extra route? I mean any means to create that route. May be dynamic, using a routing protocol. However if ath is a tunnel using the other address for encapsulation, this workaround may not be applicable easily (encapsulated packets must still be routed normally). >> - Use SNAT to the address of the output interface on vostro. > > Sounds ugly... Yes. But simple to setup and effective. >> - Use connection mark (connmark) by iptables on ebox so that replies to >> original packets received on a given interface are forwarded to the same >> interface. > > I guess I'll try this. Could you give some more details? I'm not sure > how to create a rule that *changes* the outgoing interface. It's not very different from marking packets for advanced routing. I haven't done that recently, but here is a basic overview : # mark the connections of packets received on rath iptables -t mangle -A PREROUTING -i rath -j CONNMARK --set-mark 1 # copy the connection mark to the packets received on eth0 iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark # use the mark to route packets received on eth0 ip rule add fwmark 1 dev eth0 table tovpn -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
