Re: Routing locally generated traffic on fwmark

[Andrew Beverley <andy@andybev.com>]

On Thu, 2011-09-29 at 12:28 +0200, Jan Engelhardt wrote:
> On Thursday 2011-09-29 08:51, Andrew Beverley wrote:
> >> iptables -A OUTPUT -t mangle -d 89.16.176.81 -j MARK --set-mark 0x800
> >> ip rule add fwmark 0x800/0xffff table T2
> >> ip route add table T2 default dev ppp1 via 94.30.127.76
> >
> >I've also added the following, which makes no difference:
> >
> >iptables -t nat -A POSTROUTING -o ppp1 \
> >	-j SNAT --to-source 109.224.134.110
> 
> Of course it makes no difference, because SNAT is applied after routing.
> ("POST" "ROUTING", see?)

Yes, but in my case the SNAT still needed applying. The problem was that
although the packets were being routed via the second interface, they
were still being sent from the original IP address of the first
interface. Therefore, packets were being returned to the first
interface, making it look as if the second interface wasn't being used.

> 
> >So, I assume the problem is that the packet is marked too late to affect
> >the routing.
> >Looking at the packet flow diagram[1] though, there should
> >be a re-route check after the mangle table, which should re-route if a
> >packet's mark has changed. Does this feature need enabling?
> 
> mangle is the right place; in its code you will find
> 
>         ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
>                            dev_net(out)->ipv4.iptable_mangle);
>         /* Reroute for ANY change. */
>         if (ret != NF_DROP && ret != NF_STOLEN) {
>                 iph = ip_hdr(skb);
>                 if (iph->saddr != saddr ||
>                     iph->daddr != daddr ||
>                     skb->mark != mark ||  
>                     iph->tos != tos)
>                         if (ip_route_me_harder(skb, RTN_UNSPEC))
>                                 ret = NF_DROP;

Thanks, that helps. Useful to know exactly what is going on.

Thanks for all the help.

Andy