Le 30/06/2017 à 15:55, Øyvind Kaurstad a écrit :
Which brings me to the question in the subject, is it even possible to
have this work without using the features of marking the connection and
then mark the return packets and have a routing rule for it?
I don't know about nftables, but with iptables you can avoid marking the
connection and use the conntrack match to check the original destination
address. However AFAIK you cannot avoid marking the reply packets if,
from the routing point of view, nothing distinguishes packets that
should be sent to different interfaces.
One workaround is to forward incoming packets to alternate addresses.
A target device has primary address A and alternate address B.
For ordinary traffic, it uses address A.
When receiving a packet on ppp0, the routing device forwards it to the
alternate address B.
The target device sends the reply packet from source address B and the
routing device can use source-based routing to route it back to ppp0.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
