Different routes for different src addresses

Different routes for different src addresses

[Alpt]

[-- Attachment #1: Type: text/plain, Size: 1363 bytes --]

Hi all,
is it possible to create a route for a single src address?
For example these are some routes I'd like to use: 

1) "All the pkts coming from hostA with dst=hostX are routed to eth1".
2) "All the pkts coming from hostB with dst=hostT are routed to eth0"
/*Normal routes start here*/
3) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostX
are routed to eth3"
4) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostU
are routed to eth2"
5) And so on...


I mean _routing_, not natting. If I nat the pkts their destination will
change and I need to keep it intact.

In the FIB routing table I can only specify the target address, but I've 
noticed that the kernel's cache matches the source field. But when I try
to modify it I get: "Modifying `inet' routing cache not supported".
So, Is it possible to modify the krnl's cache from the user space with
some magic ioctl?

Is there a solution for this problem? Can netfilter do something for
this?

And, what's the best method to modify the FIB from user space? The ioctl
or the rtnetlink?

Thank you (^_^)
I live waiting your wise reply
-- 
:wq!
"I don't know nothing" The One Who reached the Thinking Matter   '.'

[ Alpt --- Freaknet Medialab ]
[ GPG Key ID 441CF0EE ]
[ Key fingerprint = 8B02 26E8 831A 7BB9 81A9  5277 BFF8 037E 441C F0EE ]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Different routes for different src addresses

[Martijn van Oosterhout]

[-- Attachment #1: Type: text/plain, Size: 1114 bytes --]

On Wed, Jul 07, 2004 at 02:05:02PM +0200, Alpt wrote:
> Hi all,
> is it possible to create a route for a single src address?
> For example these are some routes I'd like to use: 
> 
> 1) "All the pkts coming from hostA with dst=hostX are routed to eth1".
> 2) "All the pkts coming from hostB with dst=hostT are routed to eth0"
> /*Normal routes start here*/
> 3) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostX
> are routed to eth3"
> 4) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostU
> are routed to eth2"
> 5) And so on...

Lookup ip rules, you can do something like:

ip rule add from hostA table tableA
ip rule add from hostB table tableB

ip route add hostX dev eth1 table tableA prio 500
ip route add hostY dev eth0 table tableB prio 501

etc...

Hope this helps,
-- 
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Different routes for different src addresses

[Antony Stone]

On Wednesday 07 July 2004 1:05 pm, Alpt wrote:

> Hi all,
> is it possible to create a route for a single src address?
> For example these are some routes I'd like to use:
>
> 1) "All the pkts coming from hostA with dst=hostX are routed to eth1".
> 2) "All the pkts coming from hostB with dst=hostT are routed to eth0"
> /*Normal routes start here*/
> 3) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostX
> are routed to eth3"
> 4) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostU
> are routed to eth2"
> 5) And so on...
>
> I mean _routing_, not natting. If I nat the pkts their destination will
> change and I need to keep it intact.

As you say, you mean _routing_, therefore this a routing question, not a 
netfilter question.

You need iproute2 (see http://lartc.org)

Regards,

Antony


-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are 
completely hidden by their superficial design flaws."

 - Douglas Noel Adams

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Different routes for different src addresses

[John A. Sullivan III]

On Wed, 2004-07-07 at 08:05, Alpt wrote:
> Hi all,
> is it possible to create a route for a single src address?
> For example these are some routes I'd like to use: 
> 
> 1) "All the pkts coming from hostA with dst=hostX are routed to eth1".
> 2) "All the pkts coming from hostB with dst=hostT are routed to eth0"
> /*Normal routes start here*/
> 3) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostX
> are routed to eth3"
> 4) "All the pkts (that are not pkts of type 1) and 2)) with dst=hostU
> are routed to eth2"
> 5) And so on...
> 
> 
> I mean _routing_, not natting. If I nat the pkts their destination will
> change and I need to keep it intact.
> 
> In the FIB routing table I can only specify the target address, but I've 
> noticed that the kernel's cache matches the source field. But when I try
> to modify it I get: "Modifying `inet' routing cache not supported".
> So, Is it possible to modify the krnl's cache from the user space with
> some magic ioctl?
> 
> Is there a solution for this problem? Can netfilter do something for
> this?
> 
> And, what's the best method to modify the FIB from user space? The ioctl
> or the rtnetlink?
> 
> Thank you (^_^)
> I live waiting your wise reply
I have not digested your question fully but my initial reaction is that
it can be done with iproute2.  If you are unfamiliar with it, look for a
file named ip-cref.ps in your distribution.  In RedHat, it is typically
under /usr/share/doc/iproute-2.4.7/ - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Different routes for different src addresses

[Nick Taylor]

> > is it possible to create a route for a single src address?
> > I mean _routing_, not natting. If I nat the pkts their destination will
> > change and I need to keep it intact.
>
> As you say, you mean _routing_, therefore this a routing question, not a
> netfilter question.
>
> You need iproute2 (see http://lartc.org)
>
This is true, but misleading.  Netfilter does provide a nice interface to
iproute2 with the fwmark feature.  You can use a:

iptables -A FORWARD -s 192.168.1.7 -d 192.168.2.0/24 -j MARK --set-mark X

to put a particular firewall mark on a particular packet, then you can use

ip rule add fwmark X lookup Y

which tells the kernel to use routing table Y to lookup the route, and
then you must maintain a seperate routing table for each firewall mark,
like:

ip route add 192.168.1.0/24 via 10.0.0.3 table Y
ip route add 192.168.1.0/24 via 10.0.0.4 table Z

Of course, X Y and Z represent integers.

Re: Different routes for different src addresses

[Antony Stone]

On Wednesday 07 July 2004 10:02 pm, Nick Taylor wrote:

> > > is it possible to create a route for a single src address?
> > > I mean _routing_, not natting. If I nat the pkts their destination will
> > > change and I need to keep it intact.
> >
> > As you say, you mean _routing_, therefore this a routing question, not a
> > netfilter question.
> >
> > You need iproute2 (see http://lartc.org)
>
> This is true, but misleading.  Netfilter does provide a nice interface to
> iproute2 with the fwmark feature.

This is true, but unnecessary :)

If all you want to match on is source IP (which is what the original poster 
asked about), then iproute2 can do it quite neatly on its own.

Mixing netfilter MARKs and iproute2 tables is a neat solution to some 
problems, but not required for the simple ones.

Regards,

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Different routes for different src addresses

[Alpt]

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]

On Wed, Jul 07, 2004 at 10:36:32PM +0100, Antony Stone after a spiritual call wrote  :
~> > This is true, but misleading.  Netfilter does provide a nice interface to
~> > iproute2 with the fwmark feature.
~> 
~> This is true, but unnecessary :)

Btw, It's always better to know more (^_+)

~> If all you want to match on is source IP (which is what the original poster 
~> asked about), then iproute2 can do it quite neatly on its own.
~> 
~> Mixing netfilter MARKs and iproute2 tables is a neat solution to some 
~> problems, but not required for the simple ones.

In the end, Thanks to all for your replies.

Best Regards

-- 
:wq!
"I don't know nothing" The One Who reached the Thinking Matter   '.'

[ Alpt --- Freaknet Medialab ]
[ GPG Key ID 441CF0EE ]
[ Key fingerprint = 8B02 26E8 831A 7BB9 81A9  5277 BFF8 037E 441C F0EE ]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]