Just to be accurate, There is a difference between packets which are dropped to the nic itself and traffic which is bounded to a specific ip address. >From what I remember( and my memory is not the best as it was..) the last time I checked on Debian jessie you couldn't do any routing decision on a bounded socket. Maybe on newer versions of the kernel or another OS it's not the same. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx -----Original Message----- From: Marcin Szewczyk <marcin.szewczyk@xxxxxxxxx> Sent: Wednesday, December 2, 2020 6:13 PM To: Eliezer Croitor <ngtech1ltd@xxxxxxxxx> Cc: 'Fatih USTA' <fatihusta86@xxxxxxxxx>; 'Netfilter Users Mailing list' <netfilter@xxxxxxxxxxxxxxx> Subject: Re: re-routing multicast pkts after mangle table marking On Wed, Dec 02, 2020 at 05:57:25PM +0200, Eliezer Croitor wrote: > I have seen a similar "issue" with outgoing traffic generated locally. > From what I understand the diagram: > * https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.sv g > > Doesn't talk about locally generated traffic.. I am quite sure that it is not true. Take a look at the simplified chart: https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/ OUTPUT chains are specifically for locally generated traffic, not the forwarded traffic. Also see: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_ch ain_hooks > There is a big difference in the linux kernel routing cache since the time > of the test... My test is fresh. tcpdump output I pasted was created today. > If you want to re-produce this issue you can try to use iperf3 instead of > iperf. > iperf3 -c 224.1.1.1 -u -b 10k I do not use iperf at all. I am using netcat. > Can you create a test lab using netns ? > You can see a fully automated example lab that I wrote at: > https://github.com/elico/mwan-nft-lb-example/blob/main/run-lab.sh > > Or another lab examples can be seen at Vincent blog posts github repository: > https://vincent.bernat.ch/en/blog/2018-route-based-vpn-wireguard I will take a look later to check if those are relevant. -- Marcin Szewczyk http://wodny.org
