Hello, I'm trying to bypass OpenVPN tunnel (with --redirect-gateway enabled) for specific processes. I've described a solution here: http://serverfault.com/a/761780/341010 In summary, that's what I do: - Assign the process to a Linux net_cls control group - Mark the trafic with iptables, based on control group classid: iptables -t mangle -A OUTPUT -m cgroup --cgroup 0x00110011 -j MARK --set-mark 11 - Route the marked trafic on a routing table with a default gateway to the real (non-tunnel) interface - NAT the output IP of the trafic with iptables, based on control group classid: iptables -t nat -A POSTROUTING -m cgroup --cgroup 0x00110011 -o eth0 -j MASQUERADE - Disable reverse path filtering It works well for processes started directly on the control group: cgexec -g net_cls:novpn ping www.google.com However, if a process is moved to the control group, it stops working: ping www.google.com echo $(pidof ping) > /sys/fs/cgroup/net_cls/novpn Unlike the MANGLE rule, the NAT rule doesn't match anymore. Hence, the trafic exits with the bad (tunnel) IP... Any help appreciated. Even if you have other better ways to reach the same goal. Regards, Kris -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
