Re: MASQUERADE: Route sent us somewhere else (was Re: Fw: Rusty'sbrain broke!)

[Henrik Nordstrom]

On Sun, 11 Jan 2004, Julian Anastasov wrote:

> - use CONNMARK or similar functionality to keep the connection
> bound to its path. As long as CONNMARK is not a standard feature
> there is no safe way to use multipath routes with MASQUERADE and
> SNAT in the latest kernels. Even before this change it was risky
> to rely on the routing cache to keep NAT connections bound to
> its path in the multipath route - the cache entries expire.

As the aurhor of CONNMARK I certainly do not mind having this progress 
beyond path-o-matic extras..

While it was invented to solve a special-case issue, it has over the years 
found many additional and more general uses. Today it is in use for

a) Multihomed setups of a shared network with limited routing tables

b) Reliable and easy to understand multipath+NAT routing.

c) Interception routing without NAT, routing specific TCP sessions
(including RELATED and ICMP messages) a special path, usually for 
interception caching outside of the router without loss of addressing 
information.

and probably several other applications I do not know about or simply 
forgotten.

Regards
Henrik

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html