netdev
[Top] [All Lists]

Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: [RFC] MASQUERADE / policy routing ("Route send us somewhere else")
From: Harald Welte <laforge@xxxxxxxxxxxxx>
Date: Tue, 31 Aug 2004 14:16:58 +0200
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, rusty@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, kuznet@xxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0408310908120.4024@xxxxxxxxxxxx>
Mail-followup-to: Harald Welte <laforge@xxxxxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, rusty@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, kuznet@xxxxxxxxxxxxx
References: <20040830191915.04d49268.davem@xxxxxxxxxxxxx> <E1C1yRs-00086x-00@xxxxxxxxxxxxxxxxxxxxxxxx> <20040830223920.1db0d5ae.davem@xxxxxxxxxxxxx> <Pine.LNX.4.58.0408310908120.4024@xxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040722i
On Tue, Aug 31, 2004 at 09:48:07AM +0300, Julian Anastasov wrote:

>       So, if the input route for all packets selects dev1 before
> NAT but MASQUERADE selects different device (nexthop) bad things
> happen. It costs routing cache entries to provide oif key but almost
> in any case the right gateway is selected (except when two nexthops
> use same device).

I am willing to compromise at that cost.  I cannot imagine a combination
of dynamic IP with multiple nexthop on the same device.  Getting those
policy routing / DSL / dynip / MASQUERADE cases right is definitely more
important.

Any static IP case should be using SNAT, that's always been documented.

> Regards

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>