Re: How to route per process?

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

ulmo@sonic.net a écrit :
> 
> The software in question has the capability to bind to specified
> addresses, but not to send packets out over specified interfaces, which is
> necessary.

It is easy to do source address-based routing.
ip rule from <address> lookup <table>

> iptables -t mangle -A OUTPUT -m owner --uid-owner asterisk -j MARK
> --set-mark 42 &&
> iptables -t nat -A POSTROUTING -o $dev -m mark --mark 42 -j SNAT
> --to-source $ifaceaddr &&
> ip rule add fwmark 42 table 42 &&
> ip route add default via $gw dev $dev table 42
> 
> To wit, all the above works, except that when the packets come back, the
> process in question doesn't receive them.  tcpdump shows everything
> working as desired up to that point:  the packets go out, they get
> responses which come back.  The disconnect is somewhere between the return
> packets coming back and them being put into the process's connection as
> desired inside the OS, I'm pretty sure.

Check your iptables filtering rules, and that source validation by 
reverse path filtering is disabled on the alternate interface 
(/proc/sys/net/ipv4/conf/<interface>/rp_filter=0). It is disabled by 
default in the kernel, but startup scripts in some distributions enable it.