From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: policy routing on locally generated packets [summary] Date: Wed, 27 Aug 2003 16:57:03 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <3F4CC6BF.2030604@trash.net> References: <1061995596.1247.28.camel@drs0.manchotnetworks.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Henrik Nordstrom , Patrick Schaaf , netfilter-devel Return-path: To: "lartc@manchotnetworks.net" In-Reply-To: <1061995596.1247.28.camel@drs0.manchotnetworks.net> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org lartc@manchotnetworks.net wrote: >final conclusion: >to effectively obtain policy routing on locally generated packets, the >OUTPUT ROUTING process would need to be hooked into netfilter thereby >letting packets be marked. OUTPUT ROUTING would then use the mark to >find a routing table via a routing rule. OUTPUT ROUTING would get the >route key fields using the "best" destination route within the routing >table, or use the default routing table if no suitable route was found. >(Cedric -- this would include the iif key therefore obviating/including >your patch through ip route commands) > > >iptables --append OUTROUTE --table mangle (expressions) \ > --jump MARK --set-mark 0x2 > It is not possible for two reasons: - before output routing the packet doesn't have a source ip so it would be weird to pass it through iptables tables. - the source is chosen before the ip header is prepended, this makes it impossible to pass it to iptables first. Why can't you use NAT ? Best regards, Patrick