From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Rabbitson Date: Fri, 15 Jun 2007 06:29:43 +0000 Subject: Re: [LARTC] Re: multiple routing tables for internal router programs Message-Id: <467231D7.1070105@rabbit.us> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Salim S I wrote: > >>> NATing is done with MASQUERADE, not SNAT, I use another MARK for it, > but >>> in essence it is >>> -o eth2 -j MASQUEARDE >>> -o eth3 -j MASQUEARDE >>> >>> In addition, there are several other MARKs for policy routing. They > have >>> their own routing tables also. But at present, they are all empty. >>> >> This is the part I definitely do not like. First of all - wht >> SNAT/MASQUERADE _all_ traffic? You should do this for forwarder > traffic >> only. Like so: > > Yes, in fact, this is what I do. I mentioned I use MARK for > MASQUERADing, but forgot to elaborate. That particular MARK is set for > forwarded packets only. > > >> Also you mention that there are "other marks" , which means that you >> might very well be overwriting marks as you go. A packet/connection > can >> have only _one_ mark value at any time, no more no less (a 0x0 is > still >> a mark) > > > I use --or-mark in iptables, so that I can use bitwise masks. The 'ip' > tool supports bit masks too. > Well then you are certainly ahead of the game. Still I would suggest to avoid the complexity of bit mask marks - it is rather error prone and is pretty hard to maintain, while the same result can usually be achieved by other means (like in my SNAT example). As far as your original problem goes - it seems like a mark is getting eaten away or is not set somewhere in the first place. I have not had any problems like the ones you describe. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc