From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jose Luis Domingo Lopez <lartc@24x7linux.com>
Date: Fri, 11 Oct 2002 21:30:25 +0000
Subject: Re: [LARTC] owner based policy routing
Message-Id: <marc-lartc-103437188824655@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-103430921730225@msgid-missing>
In-Reply-To: <marc-lartc-103430921730225@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

On Friday, 11 October 2002, at 09:34:38 +0530,
Arindam Haldar wrote:

> THE SCENARIO:
> we are connected to 2 isp, both having their large network.. isp A has 
> gateway with ofc network while ispB has satellite gateway & hence there 
> are advantages to take specific routes thru specific isp.
> 
I suppose this box has three network connections, one to the internal
network, and one for each Internet connection. So, for the traffic
coming from the internal network, this box is a router.

> THE RULES DEFINED:
> 10:     from all lookup main
>
"ip rule" are checked from lower to higher numbers, so once visited
"table local" (prio 0) all your traffic (from all) visits "table main".
I suppose "table main" doesn't have a default route of some sort,
because that would stop packet routing at that point, turning the rest
of "ip rule" useless.

> WHAT WE TRIED:
> we tried using iptables owner based rules & marked packets( as one can 
> see in rules above), but it didnt help.
> iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8 
>  -j MARK --set-mark 50
> but packets were not marked as seen by >> iptables -nvL -t mangle
> & hence owner based pilicy routing not working
> 
If "iptable -t mangle -L -vn" shows no matches, it can be for two
reasons: either destination address doesn't match, or uid-owner doesn't
match. I have never used "--match owner" myself, but a quick try here
seems to work, at least for a simple network application.

Maybe squid runs as user "squid" (or whatever), but netfilter sees them
as originating from another user, maybe root, maybe no user at all.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.18-586tsc)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/