Re: Routing decision? - Wim Ceulemans

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wim Ceulemans <wim.ceulemans@able.be>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: netfilter-devel@lists.netfilter.org, dev@able.be
Subject: Re: Routing decision?
Date: Thu, 18 Sep 2003 13:54:39 +0200	[thread overview]
Message-ID: <3F699CFF.1020702@able.be> (raw)
In-Reply-To: <Pine.LNX.4.44.0309181320030.20799-100000@filer.marasystems.com>

[-- Attachment #1: Type: text/plain, Size: 2479 bytes --]

Henrik Nordstrom wrote:

>On Thu, 18 Sep 2003, Wim Ceulemans wrote:
>
>  
>
>>Wouldn't the firewall be more predictable if the routing decision was 
>>always taken after the packet travels through the OUTPUT chain, even if 
>>it was a packet originating from an unbound socket? In that way the 
>>diagram in the netfilter tutorial would be true in all cases, and also if
>>advanced routing with the ip command is used, it would work with all 
>>packets (originating from bound or unbound sockets).
>>    
>>
>
>The routing takes place before OUTPUT on unbound sockets as it is the 
>routing table who decides the source IP address to use if the socket is 
>unbound, and it is impossible to create the packet without having the 
>source address.
>
>  
>
>>Of course for packets originating from unbound sockets this would lead 
>>to the fact that the routing decision code is gone through twice, but 
>>the first time only for determining the source address, and the second 
>>time to be able to re-route the packet to another interface (based on 
>>marks set in the output chain).
>>    
>>
>
>Yes, and this is what happens when it is needed.
>
>The kernel uses routing before output to find the source IP address.
>
>Then when iptables changes the packet in such manner that the routing may 
>change it calls the routing again, but only if the packet is modified by 
>iptables.
>
>If there is no changes in the packet details iptables does not call 
>routing again as it can be assumed the result will be the same as in the 
>first call.
>
>Regards
>Henrik
>
>  
>
Henrik

Ok, but the problem is that setting a mark on the packet isn't 
considered as a change to the packet, since marks only live in
the kernel and have no effect on the packet.

So, if I want to re-route the packet later on because for example it is 
an http packet (destination port is 80, 1080 or 8080)
then I have to change something in the packet just to be able to 
re-route it. But I don't want to change something in the
packet, I just want to re-route it to another interface based on the mark.

Do you have an idea how we could do this without using unbound packets?

Thanks and Regards
Wim

-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be

--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

next prev parent reply	other threads:[~2003-09-18 11:54 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-15 13:16 Routing decision? Wim Ceulemans
2003-09-15 14:34 ` Henrik Nordstrom
2003-09-15 15:29   ` Wim Ceulemans
2003-09-15 16:06     ` Henrik Nordstrom
2003-09-15 16:25       ` Wim Ceulemans
2003-09-15 16:59         ` Cedric Blancher
2003-09-15 19:48         ` Henrik Nordstrom
2003-09-18  7:37       ` Wim Ceulemans
2003-09-18 11:22         ` Henrik Nordstrom
2003-09-18 11:54           ` Wim Ceulemans [this message]
2003-09-18 13:10             ` Henrik Nordstrom
2003-09-18 13:39               ` Wim Ceulemans
  -- strict thread matches above, loose matches on Subject: below --
2003-09-15 20:10 Daniel Chemko
2003-09-15 22:32 ` Henrik Nordstrom
2003-09-15  8:49 Wim Ceulemans
2003-09-15  9:08 ` Ray Leach
2003-09-15 10:44   ` Wim Ceulemans
2003-09-15 12:14     ` Ray Leach
2003-09-15 12:53       ` Wim Ceulemans
2003-09-15 13:09         ` Ray Leach
2003-09-15 13:31           ` Cedric Blancher
2003-09-15 13:46             ` Ray Leach
2003-09-15 14:00               ` Cedric Blancher
2003-09-15 15:03                 ` Ray Leach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F699CFF.1020702@able.be \
    --to=wim.ceulemans@able.be \
    --cc=dev@able.be \
    --cc=hno@marasystems.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.