From: Jimmy Thrasibule <thrasibule.jimmy@gmail.com>
To: Christoph Pleger <Christoph.Pleger@cs.tu-dortmund.de>
Cc: linux-admin@vger.kernel.org
Subject: Re: Policy routing problem
Date: Tue, 23 Oct 2012 14:16:32 +0200 [thread overview]
Message-ID: <1350994592.2074.7.camel@BEWS005.euractiv.com> (raw)
In-Reply-To: <56295.129.217.4.64.1350990304.squirrel@postamt.cs.uni-dortmund.de>
On Tue, 2012-10-23 at 13:05 +0200, Christoph Pleger wrote:
> Hello,
Hello,
> I am running a DHCP-Server that serves multiple subnets. The server has
> an IP address in all of these subnets, and its primary IP address in a
> subnet that is not served by DHCP. Every IP address has its own VLAN
> Ethernet interface, eth0.102, eth0.104, etc. In this setup, the DHCP
> server often does not send its unicast replies on the interface where it
> received the corresponding request, but on the interface of its primary
> IP address, and with that IP. My first thought how to change this was by
> setting routes depending on destination addresses, but this would cause
> big problems with other services running on the same machine, so I tried
> to combine iproute2 and iptables, like this:
Unless you implicitly defined an interface to bind on, your DHCP server
should be listening on all broadcast interfaces. Alternatively, you can
force your DHCP server to bind on the interfaces you want.
If everything is OK on this point, some DHCP requests might come from
the "primary IP" address making the server to respond on that interface.
> iptables -t mangle -A OUTPUT -p udp --source-port bootps \
> -d xxx.xxx.22.0/24 -j MARK --set-mark 122
>
> ip route add to xxx.xxx.22.0/24 dev eth0.122 table 122
>
> ip rule add fwmark 122 table 122
>
> Though I can see in my logs that iptables really sets that mark, routing
> does not work as expected and the server still uses its primary IP address
> for sending unicast DHCP replies.
>
> What am I doing wrong and what must be done to achieve the desired
> behaviour?
In OUTPUT chain, the outbound interface is already defined. You should
be marking in PREROUTING. But check your network configuration first as
the problem might come from there.
Jimmy
next prev parent reply other threads:[~2012-10-23 12:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-23 11:05 Policy routing problem Christoph Pleger
2012-10-23 11:27 ` Oleg
2012-10-23 13:23 ` Christoph Pleger
2012-10-23 14:47 ` Oleg
2012-10-23 12:16 ` Jimmy Thrasibule [this message]
2012-10-23 14:14 ` Christoph Pleger
2012-10-24 14:27 ` Giles Coochey
-- strict thread matches above, loose matches on Subject: below --
2012-10-23 15:14 Christoph Pleger
2012-10-24 13:40 ` Oleg
2012-10-25 9:23 Christoph Pleger
2012-10-25 9:25 Christoph Pleger
2012-10-25 10:38 ` Giles Coochey
2012-10-25 12:57 Christoph Pleger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1350994592.2074.7.camel@BEWS005.euractiv.com \
--to=thrasibule.jimmy@gmail.com \
--cc=Christoph.Pleger@cs.tu-dortmund.de \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).