RP_FILTER runs too late

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: David Ford <david@blue-labs.org>
To: linux-kernel@vger.kernel.org
Subject: RP_FILTER runs too late
Date: Tue, 07 Aug 2001 02:43:35 -0400	[thread overview]
Message-ID: <3B6F8E17.9090100@blue-labs.org> (raw)

I finally figured out why my SNAT setup wasn't working.  I had 1 in 
eth0/rp_filter and that was silently breaking it.

This discussion follows the scripts located at website 
http://blue-labs.org/ , rc.networking and rc.firewalling.  Both are live 
meaning you'll see any changes I make.

Here's the scoop.  I run a VPN from here to my colo server...but I don't 
want all my traffic going through the VPN.  So I need to finagle a 
method of NAT.  Now because the NAT code runs behind the routing code, 
packets are already heading the wrong direction when they get their 
headers changed.  Because of that you need to tag them with a mark and 
implement routing rules based on that mark.  As an aside note, all that 
could be avoided if SNAT would just be available in PREROUTING.

Ok. Now that packets are flowing through the right interfaces, things 
look good but wait...the reply packets are vanishing without a trace.

The culprit is the rp_filter on eth0.  The packet comes in, gets the 
header rewritten then gets chomped by rp_filter.  I'm not quite sure why 
because the src is still an external IP and the destination before and 
after is still an internal IP.

Wouldn't the rp_filter be more effective if it came ahead of the nat 
code?  As it is now, it's useless on that interface.

David

next             reply	other threads:[~2001-08-07  6:43 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-08-07  6:43 David Ford [this message]
2001-08-07  0:52 ` RP_FILTER runs too late Rob Landley
2001-08-07 18:06   ` David Ford
2001-08-07 19:07     ` Dan Hollis
2001-08-09  8:05       ` Rob Landley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3B6F8E17.9090100@blue-labs.org \
    --to=david@blue-labs.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox