but it still seems to me I need to leverage the connection tracking
with packet marking to be able to ensure the reply packets that should
go back out a non-default route actually does that.
I'm afraid so, unless you can add a second IP address to the target device.
The target device is usually a device that I have no control over, and
in many cases it can be a device that doesn't even have the capability
to have multiple IP addresses on the physical interface.
So I'll have to treat it as a one-address blackbox.
Still feeling quite happy now, because quite a few lessons has been
learned about the inner workings of routing (and
netfilter/nftables/iptables) in Linux, so I will be better equipped to
tackle future requirements for my device (and other Linux-based devices).
For others that read this later on, while there are lots of docs on
nftables/netfilter, I came across this one as particularly useful:
https://pelican.craoc.fr/
I can't attest that it is correct in all aspects, but I liked the
diagram he drew based on the tests he did.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
