[Top] [All Lists]

Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 1 Sep 2004 07:33:18 +1000
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, laforge@xxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, rusty@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, kuznet@xxxxxxxxxxxxx
In-reply-to: <20040831212802.GB7058@xxxxxxxxxxxxxxxxxxx>
References: <20040831111508.GA2327@xxxxxxxxxxxxxxxxxxx> <Pine.LNX.4.44.0408311446240.4022-100000@l> <20040831212802.GB7058@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040722i
On Wed, Sep 01, 2004 at 07:28:02AM +1000, herbert wrote:
> On Tue, Aug 31, 2004 at 03:33:22PM +0300, Julian Anastasov wrote:
> > 
> >     I do not see where the public IP is, what you mean? As the
> > mpath route does not have preferred src IP (usually when many ISPs
> > are used) the kernel uses inet_select_addr to select one, in similar
> > way as you are trying to do. But the difference is that it is now
> > cached and by using nfmark we have more options not to reach this
> > mpath route on next lookups.
> I was mistaken.  In the mpath case there is no source address per
> nexthop.

Actually, that should still work.

For example, if you're like me and the nexthops all go to different
devices then it's obviously OK as inet_select_addr will pick the
right one for the device.  If they're going through the same device
but to different gateways then it'll still pick the right one for
the given gateway.

It only breaks when all your nexthops go to the same gateway (can't
happen) or if somehow the gateway addresses don't match up with your
desired source address.

In that case I really think that you should use SNAT :)

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>