On Sun, 2009-07-19 at 13:31 +0200, Giovanni Di Stasi wrote:
> Herbert Poetzl ha scritto:
> >
> >> ip rule from 10.1.1.10 table special pri 1000
> >> would work but is too late to change the source address since the source
> >> has obviously already been chosen. At least this appears to be the
> >> behavior we observed when we tried this.
> >>
> >
> > you could always SNAT it afterwards ...
> >
> >
>
> Hi, this discussion seems very interesting.
>
> I wrote a script to allow user-specific routing table in a Linux host
> and I had to cope with this same problem (the source ip address not
> being set correctly).
>
> Do you know why the source ip address is not changed when I use a rule
> like this?
> ip route add to <destination> src <source_ip_address_of_interface> table
> special
>
> I worked out this issue by adding an SNAT rule to the traffic that I
> wanted to get routed with the table "special", but I was wondering why
> the "src <source_ip_address>" statement wouldn't produce any effects.
>
> Thanks,
> Giovanni
I'm not skilled enough to look at the code so I can only answer based
upon my experimentation. I am guessing that by the time we hit this
part of the packet processing (I am assuming postroute processing), any
placedholders for the source address have already been replaced with the
source address chosen from the main or local routing tables since I
believe those are the only ones inspected by the kernel. Since the
source is not set, we cannot change it.
If we use a selector such as iif or to, we must catch it in the
prerouting processing and thus can set the source address. A rule such
as your works fine with an iif selector but not does with a from
selector.
SNAT is a good work around and with the large crop of NAT helpers in
conntrack, most protocols should be OK. I was hoping to avoid the
overhead and any possible problems with obscure protocols which may
embed layer 3 information in upper layer headers and not have NAT
helpers. Take care - John
-- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular societyReceived on Sun Jul 19 21:52:40 2009