On Tue, Aug 31, 2004 at 12:24:34PM +0200, Henrik Nordstrom wrote:
> >and it apparently happens in a lot of 'typical' setups where you have a
>
> Should only happen if the routing is screwed up, in principle..
yes, but it happens to happen more often, thus I see it as a bug.
> >Also, the MASQUERADE lookup (obviously) has no more saddr in the lookup,
> >that's another difference from the 'original' lookup.
>
> This is a possible reason why it screws up for such many people? By not
> including the source IP you make the route lookup for determining the
> MASQUERADE information very different from the route lookup when
> forwardning the packet.
Yes, since it now looks to the routing code as if you wanted to find out
a source ip for locally-originated packets.
> I think it would for most make more sense that the source IP assignment is
> based on routing using the original source address as key.
Question is: can we do this? Can we ask the routing code to choose a
source address while we already specify one? I don't think so.
> >That is the presumption I am about to challenge. Is the 'original'
> >interface really the one we want in this case?
>
> If there is policy routing saying that packets with a given source
> should go out another interface my opinion is that they should.
Ok, I think I agree with you. It sounds like the right thing to do,
rather than trying to fix a broken configuration within MASQUERADE.
> Regards
> Henrik
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
signature.asc
Description: Digital signature
|