Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")

[Julian Anastasov <ja@xxxxxx>]

        Hello,

On Mon, 30 Aug 2004, David S. Miller wrote:

> > If you're wondering why the second lookup is returning a different
> > interface at all, it's because the routing lookup in MASQUERADE is
> > done as if the packet was generated by localhost.  This is obviously
> > going to differ from the normal routing lookup if the packet was
> > forwarded.
>
> I understand this description.
>
> Would it be enough to set 'out' to rt->u.dst.dev after the call to
> ip_route_output_key() in ipt_MASQUERADE.c?

        I think, the picture is:

Packet 1:

- input route (before NAT) => dev1

- MASQUERADE => autoselect public IP, try to use dev1 (same GW)
as already selected from input route

Packet 2..n:

- input route (before NAT) => cached dev1 (until routing/cache changes)

        So, if the input route for all packets selects dev1 before
NAT but MASQUERADE selects different device (nexthop) bad things
happen. It costs routing cache entries to provide oif key but almost
in any case the right gateway is selected (except when two nexthops
use same device).

Regards

--
Julian Anastasov <ja@xxxxxx>