SNAT vs ip rule - Marc SCHAEFER

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Marc SCHAEFER <schaefer@alphanet.ch>
To: netfilter@vger.kernel.org
Subject: SNAT vs ip rule
Date: Mon, 27 Jan 2025 21:31:27 +0100	[thread overview]
Message-ID: <Z5ftHy+Xj99BdvbV@alphanet.ch> (raw)

Hello,

Assume a firewall with three network interfaces:

   - enp2s0.300: 193.72.186.130
   - enp2s0.400: 46.140.72.218
   - enp2s0.202: 192.168.202.2

The default route goes through enp2s0.400, however there is another
routing table with default route through enp2s0.300 (table 193).

There is an ip rule from 193.72.186.128/26 with works correctly
directly on the firewall

    ping -I 46.140.72.218 8.8.8.8 # goes to enp2s0.400
    ping -I 193.72.186.130 8.8.8.8 # goes to enp2s0.300

Now, assume a machine 192.168.202.10, on enp2s0.202, with default route
192.168.202.2.

What I want to do:

192.168.202.10% ping 8.8.8.8

   192.168.202.10 gets rewritten with SNAT to 192.72.186.130

   as from 193.72.186.130, ip rule selects default route via enp2s0.300

It does not seem to work: ip rule is ignored, the SNAT works, but the
datagram src=193.72.186.130 is sent on the default route enp2s0.400,
not enp2s0.300.

So, maybe the ip rule is invoked before SNAT?

With iptables, the only solution that worked was using CONNTRACK, mark
and save/restore and an ip rule on the mark.

Is that also the case with nftables?

Thank you.

                 reply	other threads:[~2025-01-27 20:31 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z5ftHy+Xj99BdvbV@alphanet.ch \
    --to=schaefer@alphanet.ch \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).