netdev
[Top] [All Lists]

Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")

To: Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>
Subject: Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")
From: Harald Welte <laforge@xxxxxxxxxxxxx>
Date: Tue, 31 Aug 2004 14:31:05 +0200
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx, rusty@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.61.0408311145580.12063@xxxxxxxxxxxxxxxxxxxxx>
Mail-followup-to: Harald Welte <laforge@xxxxxxxxxxxxx>, Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx, rusty@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
References: <20040830201957.GY5824@xxxxxxxxxxxxxxxxxxxxxxx> <20040830140729.7309ecc0.davem@xxxxxxxxxxxxx> <20040831013841.GA5824@xxxxxxxxxxxxxxxxxxxxxxx> <Pine.LNX.4.61.0408311145580.12063@xxxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040722i
On Tue, Aug 31, 2004 at 12:24:34PM +0200, Henrik Nordstrom wrote:
 
> >and it apparently happens in a lot of 'typical' setups where you have a
> 
> Should only happen if the routing is screwed up, in principle..

yes, but it happens to happen more often, thus I see it as a bug.

> >Also, the MASQUERADE lookup (obviously) has no more saddr in the lookup,
> >that's another difference from the 'original' lookup.
> 
> This is a possible reason why it screws up for such many people? By not 
> including the source IP you make the route lookup for determining the 
> MASQUERADE information very different from the route lookup when 
> forwardning the packet.

Yes, since it now looks to the routing code as if you wanted to find out
a source ip for locally-originated packets.

> I think it would for most make more sense that the source IP assignment is 
> based on routing using the original source address as key.

Question is: can we do this?  Can we ask the routing code to choose a
source address while we already specify one?  I don't think so.

> >That is the presumption I am about to challenge.  Is the 'original'
> >interface really the one we want in this case?
> 
> If there is policy routing saying that packets with a given source 
> should go out another interface my opinion is that they should.

Ok, I think I agree with you. It sounds like the right thing to do,
rather than trying to fix a broken configuration within MASQUERADE.

> Regards
> Henrik

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>