Again policy routing and OUTPUT...

Again policy routing and OUTPUT...

[Marco Gaiarin]

Rewiewing the mark and saving/restoring of the marks in the chain seems
was useful, and now the policy routing for local-generated traffic
works as expected.

Apart one little thing... local service (exim SMTP server, indeed) open
outgoing connection using one of the available interface, and this
happen:

    1 0.000000000 10.5.248.254 → 108.177.126.27 TCP 74 46008 → 25 [SYN, ECN, CWR] Seq=0 Win)200 Len=0 MSS\x1460 SACK_PERM=1 TSval1379463 TSecr=0 WS\x128
    2 1.027849378 10.5.248.254 → 108.177.126.27 TCP 74 [TCP Retransmission] 46008 → 25 [SYN] Seq=0 Win)200 Len=0 MSS\x1460 SACK_PERM=1 TSval1379720 TSecr=0 WS\x128
    3 3.043787137 10.5.248.254 → 108.177.126.27 TCP 74 [TCP Retransmission] 46008 → 25 [SYN] Seq=0 Win)200 Len=0 MSS\x1460 SACK_PERM=1 TSval1380224 TSecr=0 WS\x128
    4 7.139530714 10.5.248.254 → 108.177.126.27 TCP 74 [TCP Retransmission] 46008 → 25 [SYN] Seq=0 Win)200 Len=0 MSS\x1460 SACK_PERM=1 TSval1381248 TSecr=0 WS\x128

eg, traffic get correctly routed to the choosen interface via policy
routing, but source IP was 'a random interface IP' in the available
pool.

I can use SNAT to change source IP but... there's some more 'elegant'
solution?


Surely, best solution would be to work as 'application level', eg
instruct exim to use for some traffic only the scecific source
interface but... seems not possible, or too complex to achive.


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Re: Again policy routing and OUTPUT...

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

On 2/10/21 2:15 AM, Marco Gaiarin wrote:
> I can use SNAT to change source IP but... there's some more 'elegant' 
> solution?

You /might/ need to use SNAT / MASQUERADE.

> Surely, best solution would be to work as 'application level', 
> eg instruct exim to use for some traffic only the scecific source 
> interface but... seems not possible, or too complex to achive.

Typically, as in kernel default, the source IP is chosen based on the IP 
of the outgoing interface, which is chosen based on routing to the 
destination.

If you are overriding this routing decision and forcing traffic out a 
different route, then there is a decent chance that the kernel will pick 
the wrong source IP.  In situations like this, I expect that you will 
need to SNAT / MASQUERADE.

Some applications have options to bind to a specific IP.  Others might 
have options to specify what IP to use for different things, though I 
wouldn't hold my breath.  --  In almost all cases, the decision of what 
source IP to use is left up to the kernel.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]

Re: Again policy routing and OUTPUT...

[Marco Gaiarin]

Mandi! Grant Taylor
  In chel di` si favelave...

> > I can use SNAT to change source IP but... there's some more 'elegant'
> > solution?

> You /might/ need to use SNAT / MASQUERADE.
[...]
> Typically, as in kernel default, the source IP is chosen based on the IP of
> the outgoing interface, which is chosen based on routing to the destination.
> If you are overriding this routing decision and forcing traffic out a
> different route, then there is a decent chance that the kernel will pick the
> wrong source IP.  In situations like this, I expect that you will need to
> SNAT / MASQUERADE.

Perfectly clear. And you made me a bright idea. use 'MASQUERADE' instead
of SNAT to prevent some exotic script coding...

Thanks!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Re: Again policy routing and OUTPUT...

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

On 2/12/21 4:25 AM, Marco Gaiarin wrote:
> Perfectly clear.

Thank you for the feedback.  I try.

> And you made me a bright idea. use 'MASQUERADE' instead of SNAT to 
> prevent some exotic script coding...

Cool!

> Thanks!

You're welcome.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]