From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: Bug (?) in ipt_reject doesn't follow policy routing (2.4.x) Date: Mon, 14 Apr 2003 10:49:07 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <3E9A7603.6030607@trash.net> References: <20030414075933.GJ18520@oknodo.bof.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Leen Besselink , netfilter-devel@lists.netfilter.org Return-path: To: Patrick Schaaf In-Reply-To: <20030414075933.GJ18520@oknodo.bof.de> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Patrick Schaaf wrote: >Maybe, if you can answer these questions, we'll be able to understand >your problem. Maybe somebody can do that even without those answers, >but the silence you received up to now indicates that's unlikely. > > May I ? ;) Without beeing specific to his setup, the problem he describes is that ipt_REJECT (and others) always choose lsrc to be 0 if it's non-local for the routing decision. I'll just make a simple example: Routing Rules (incomplete): 1000: from 10.0.0.0/8 lookup abc 32766: from all lookup main Routing tables (incomplete): abc: default via 192.168.0.1 dev eth0 main: default via 172.20.0.1 dev eth1 So all packets except those with src=10.0.0.0/8 should go through 172.20.0.1. When ipt_REJECT send a reject for any non-local address in 10.0.0.0/8 it chooses lsrc=0 for the routing lookup, so it ends up with default route of table main instead of table abc. I wonder why ip_route_input isn't used, this should eliminate the need for using different information from what is contained in the actual packet for the routing lookup .. Bye, Patrick