Re: MASQUERADE: Route sent us somewhere else (was Re: Fw: Rusty'sbrain broke!)

[Julian Anastasov]

	Hello,

On Sun, 11 Jan 2004, Harald Welte wrote:

> As an example case where I would suspect problems: The packet could be
> coming from a local socket, and the socket be bound to a specific
> interface (sk->bound_dev_if).

	IMO, the real example is that the people use multipath routes
and providing oif was the only way MASQUERADE to meet the netfilter
and firewalling expectations of not changing the output device during
hooks. OTOH, providing oif=0 is the valid approach for selecting the
right route but as long as the above expectation exists there are
two options for the users:

- provide oif learned from the input route (as before the discussed
change). May be in 99% of the setups it selects the right route.
I think, we should use this, at least for 2.4.

- use CONNMARK or similar functionality to keep the connection
bound to its path. As long as CONNMARK is not a standard feature
there is no safe way to use multipath routes with MASQUERADE and
SNAT in the latest kernels. Even before this change it was risky
to rely on the routing cache to keep NAT connections bound to
its path in the multipath route - the cache entries expire.

Regards

--
Julian Anastasov <ja@xxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html