netfilter before routing for local outgoing packets ?

netfilter before routing for local outgoing packets ?

[Jean Tourrilhes]

	Hi,

	After reading various documentations, I've hit a deadlock. I
hope you guys can help me.
	<Not suscribed to the list, please cc me>

	What I want to do :
	I want to be able to route a specific *local* application
differently from other applications. A crude simplification would be
to route 'telnet' via eth0 and 'http' via eth1. In practice, I would
really like the flexibility of having two set of routes.

	I can define multiple routing tables (via 'ip route'), and set
some rules defining which table should be used (via 'ip rule'). Those
rules arebased on source address, dest address, TOS or
fwmark. Netfilter allow me to set TOS or fwmark based on more or less
what I want.
		http://en.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
		http://linux-ip.net/html/tools-ip-rule.html
		http://linux-ip.net/html/adv-multi-internet.html
		(Excellent document by the way !)

	Unfortunately, local outgoing packet don't seem to go through
netfilter before passing through the routing table.
		http://www.docum.org/stef.coene/qos/kptd/

	Did I miss something obvious ? Is there any way to use 'ip
rule' for local outgoing traffic ? Is there any other mechanism that
would do what I want ?

	Thanks...

	Jean

Re: netfilter before routing for local outgoing packets ?

[DALive Editor]

Hello sir....I'm but a humble rookie. Yet, i recently, and very proudly 
compiled my first kernel. And this is a feature/option selectable in the 
kernel configuration, called "NAT of locak connections", under 
Networking Options > Networking Configuration. By the way, that was 
kernel 2.4.22.

Someone correct me if I'm wrong please.
Peace.


Jean Tourrilhes wrote:

>	Hi,
>
>	After reading various documentations, I've hit a deadlock. I
>hope you guys can help me.
>	<Not suscribed to the list, please cc me>
>
>	What I want to do :
>	I want to be able to route a specific *local* application
>differently from other applications. A crude simplification would be
>to route 'telnet' via eth0 and 'http' via eth1. In practice, I would
>really like the flexibility of having two set of routes.
>
>	I can define multiple routing tables (via 'ip route'), and set
>some rules defining which table should be used (via 'ip rule'). Those
>rules arebased on source address, dest address, TOS or
>fwmark. Netfilter allow me to set TOS or fwmark based on more or less
>what I want.
>		http://en.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
>		http://linux-ip.net/html/tools-ip-rule.html
>		http://linux-ip.net/html/adv-multi-internet.html
>		(Excellent document by the way !)
>
>	Unfortunately, local outgoing packet don't seem to go through
>netfilter before passing through the routing table.
>		http://www.docum.org/stef.coene/qos/kptd/
>
>	Did I miss something obvious ? Is there any way to use 'ip
>rule' for local outgoing traffic ? Is there any other mechanism that
>would do what I want ?
>
>	Thanks...
>
>	Jean
>
>
>  
>

RE: netfilter before routing for local outgoing packets ?

[Daniel Chemko]

If you mark a packet in the OUTPUT table, the routing algorithm should
re-run and decide the path that was defined in the routing policy, so
here is the order of relevant events:

Program Send Packet
Routing Decision - Go out normal Interface
MANGLE: OUTPUT - Mark packet as fwmark 1
Routing Decision - Choose route as usual, but include fwmark 1 in
equation.


Warning: That is supposedly the behavior, but I have yet to get it
working properly.

Re: netfilter before routing for local outgoing packets ?

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 1347 bytes --]

Daniel

See recent discussion about the routing decision in the netfilter-devel 
archive.
As I understood it:

The first routing decision is taken only for packets originating from an 
unbound socket. If the source ip address is determined (by the routing 
decision), then the packet travels through the output chains and only if 
it is changed in the mangle table it can be re-routed.

For packets originating from a bound socket, no routing decision is 
taken before the output chain, only the routing decision after is taken.

Regards
Wim

Daniel Chemko wrote:

>If you mark a packet in the OUTPUT table, the routing algorithm should
>re-run and decide the path that was defined in the routing policy, so
>here is the order of relevant events:
>
>Program Send Packet
>Routing Decision - Go out normal Interface
>MANGLE: OUTPUT - Mark packet as fwmark 1
>Routing Decision - Choose route as usual, but include fwmark 1 in
>equation.
>
>
>Warning: That is supposedly the behavior, but I have yet to get it
>working properly.
>
>
>
>  
>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)