From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Date: Tue, 22 Nov 2005 07:22:09 +0000 Subject: Re: [LARTC] Iproute2 src mangling problems Message-Id: <4382C721.8060904@trash.net> List-Id: References: <20051121160130.ny8ol2nkwrkkso8o@qbranch.gavintech.com> In-Reply-To: <20051121160130.ny8ol2nkwrkkso8o@qbranch.gavintech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Chris Kloosterman wrote: > - We have two IP addresses assigned to this machine using aliases: > > [root@tequesta ~]# ip addr show > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 > ... > inet xxx.yyy.zzz.39/24 brd xxx.yyy.zzz.255 scope global eth0 > inet xxx.yyy.zzz.16/24 brd xxx.yyy.zzz.255 scope global secondary eth0:0 > ... > > - We're marking packets that go through iptables with mark 0xf1: > > /sbin/iptables -I OUTPUT -t mangle -m owner --uid-owner (uid) -j MARK > --set-mark 0xf1 > > - With iproute2, we're setting packets marked with 0xf1 to go to a > special table (which has already been created in the proper places): > > /sbin/ip rule add fwmark 0xf1 lookup kloostec > > - The routing table kloostec looks like this: > > xxx.yyy.zzz.0/24 dev eth0 proto static src xxx.yyy.zzz.16 > default via xxx.yyy.zzz.254 dev eth0 > > - The routing table default looks like this: > > xxx.yyy.zzz.0/24 dev eth0 scope link src xxx.yyy.zzz.39 > ... > default via xxx.yyy.zzz.254 dev eth0 > > =======> > So, my question is, why are the packets not having their source address > changed when they are marked 0xf1? If anyone could answer this, it > would end days of searching and reading documentation and pulling my > hair out! What source address does the packet have when it hits your mark rule? :) No, seriously, this is a common misunderstanding, unfortunately what you're trying to do is not possible. At the time the source address is selected there is no packet and as a consequence no netfilter mark, so marks can't be uses for this. The only way is to use SNAT. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc