From: "lartc@manchotnetworks.net" <lartc@manchotnetworks.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] OUTPUT chain marking after or before routing?
Date: Thu, 17 Jul 2003 16:50:09 +0000 [thread overview]
Message-ID: <marc-lartc-105846057806028@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105842045025983@msgid-missing>
Hi Martin, Catalin, Chijioke,
This subject intrigues me greatly and is closely related to a post of
just a few days ago:
<snip from my original post>
> >+----------------------+ +---------------+
> >| eth1 192.168.1.1 |------------| 192.168.1.250 |
> >| eth1:1 192.168.1.101 | | |
> >+----------------------+ +---------------+
> >
> >
> >iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2
> >ip rule add fwmark 0x2 table 2
> >ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2
> >ip route flush cache
> >
> >
> >telnet 192.168.1.250 ; and tcpdump gives src ip address as
> >192.168.1.1
> >
> >
> >ip rule add to 192.168.1.250 table 2
> >ip route flush cache
> >
> >
> >telnet 192.168.1.250 ; and tcpdump gives src ip address as
> >192.168.1.101
> According to my reading of the KPTD (and my understanding), packets
> generated on the local machine have already been routed by the time the
> OUTPUT chain is traversed. See:
>
> http://www.docum.org/stef.coene/qos/kptd/
i have spent alot of time looking at this diagram and don't understand
what happens when. curiously, to my post patrick McHardy was kind enough
to test and:
On Sun, 2003-07-13 at 23:43, Patrick McHardy wrote:
> I tested your setup and it works fine (with 2.5 though). Are you sure
> you have
> CONFIG_IP_ROUTE_FWMARK enabled for your running kernel ? ip rule won't
> give errors if not ..
very interesting, and i have yet to make it work here, although i
haven't debugged it yet
> : have u tried putting it on the FORWARD chain??
>
> Unfortunately the FORWARD chain will not work if these are locally
> generated packets.
yup.
>
> I see two potential approaches to this problem:
>
> - invert your logic; main routing table uses ppp0 gateway IP as default
> gateway, mark all traffic passing through your router box, and use
> "ip rule add fwmark $MARK table $INTERNET" with another routing
> table for the Internet-bound traffic.
martin, this is pure genius
>
> - send all locally generated traffic via ppp0; "ip rule add iif lo
> table smtp" and watch all traffic generated on the local machine leave
> via ppp0. You'll want to add the locally connected networks to table
> smtp.
can you comment why this is --
ip rule to xxx.xxx.xxx.xxx table n
works, and
iptables fwmark y table n
doesn't? is it because OUTPUT checked the rule while the packet was
"generated" locally, but not after it was marked?
1000 thanks
charles
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-07-17 16:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-17 5:37 [LARTC] OUTPUT chain marking after or before routing? Catalin Borcea
2003-07-17 6:04 ` ???????? ?????
2003-07-17 6:31 ` Catalin Borcea
2003-07-17 6:37 ` ???????? ?????
2003-07-17 7:15 ` Catalin Borcea
2003-07-17 7:32 ` ???????? ?????
2003-07-17 14:08 ` Chijioke Kalu
2003-07-17 15:55 ` Martin A. Brown
2003-07-17 16:50 ` lartc [this message]
2003-07-18 5:04 ` Catalin Borcea
2003-07-18 18:41 ` Martin A. Brown
2003-07-18 18:46 ` Martin A. Brown
2003-07-19 7:45 ` lartc
2003-07-20 15:19 ` Leonardo Balliache
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105846057806028@msgid-missing \
--to=lartc@manchotnetworks.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.