* routing policy based on u32 classifier
@ 2017-02-01 10:34 pupilla
0 siblings, 0 replies; 6+ messages in thread
From: pupilla @ 2017-02-01 10:34 UTC (permalink / raw)
To: netdev
Hello everyone,
Kindly I would like to ask if there is a way to do routing
policy based on u32 classifier without fwmark/netfilter.
I have read doc/tc-filters and doc/actions/actions-general
from iproute2-4.9.0 package but I am not able to find any
actions doing this kind of job: the only way is to mark
packets with netfilter.
Any response are welcome
TIA
Marco
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: routing policy based on u32 classifier
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275E0@john.ad.clarku.edu>
@ 2007-12-11 11:11 ` Marco Berizzi
0 siblings, 0 replies; 6+ messages in thread
From: Marco Berizzi @ 2007-12-11 11:11 UTC (permalink / raw)
To: Brian S Julin; +Cc: netdev
Brian S Julin wrote:
> Marco wrote:
>
>> Brian S Julin wrote:
>>> Almost clear... why can you not just add "src <ADSL
>>> IP>" to the fwmark
>>> route to set the default source address for locally
>>> originating
>>> packets?
>>
>> IIRC, it doesn't work because netfilter isn't called in
>> ip source address selection.
>
> Ah I see. Referring to this diagram...
>
> http://www.shorewall.net/images/Netfilter.png
>
> ...and to many people I see posting about similar issues,
> you are correct in that. A process socket cannot default to
> the correct (final) source address to use if there is a
> fwmark
> rule as it stands.
>
> I'll take a wild guess and conjecture that the reason fwmark
> rules work at all for output routing is that applying a
> fwmark on OUTPUT/mangle constitutes "changing the packet"
> and qualifies it for the NAT reroute. But by the time a
> packet gets sent the source address has already been chosen.
>
> About the only suggestion I can make is that "dumb nat"
> might be more elegant if you are not already using it,
> and looking into getting squid to explicitly set its
> source address.
my solution is cleaner :-) the kernel select the ip for
squid and then it get SNATed.
Thanks for the feedback.
> In fact it may be the case with some daemons
> that even if this were fixed inside the kernel, they will
> ignore the source address configured kernel side because they
> explicitly set it (usually by a reverse of their "Listen"
> configuration.) It's likely that this could be fixed and
> squid require NAT still. Perhaps the best solution is
> for individual daemons to be given configuration options
> telling them what source addresses to use.
>
> Has anyone worked up a patch already to do this kernel
> side? I could see it being fairly complicated. You
> would have to hand the packet directly to netfilter, then
> have netfilter perform a first-run RPDB lookup only for
> packets where it needs to (or packets which it decides
> not to touch) and then a second RPDB lookup if the
> packet is modified. Might speed things up a bit for
> some cases as a side benefit but worth it? I don't
> know.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: routing policy based on u32 classifier
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275DE@john.ad.clarku.edu>
@ 2007-12-10 16:09 ` Marco Berizzi
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275E0@john.ad.clarku.edu>
0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2007-12-10 16:09 UTC (permalink / raw)
To: Brian S Julin, netdev
Brian S Julin wrote:
> Almost clear... why can you not just add "src <ADSL IP>" to
> the fwmark route to set the default source address for locally
> originating packets?
IIRC, it doesn't work because netfilter isn't called
in ip source address selection.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: routing policy based on u32 classifier
2007-12-10 14:57 ` Brian S Julin
@ 2007-12-10 15:20 ` Marco Berizzi
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275DE@john.ad.clarku.edu>
0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2007-12-10 15:20 UTC (permalink / raw)
To: Brian S Julin, netdev
Brian S Julin wrote:
Marco wrote:
> > Hello everybody.
> > Kindly, I would like to know if the is any plan to add this feature
to a > > future kernel release.
> > I know that fwmark is able to do this, but there is the limitation
in
> > source ip address selection.
> Could you explain the limitation?
Indeed.
Here is an example:
hdsl| |adsl
line| |line
| |
+------+
| |
|SQUID |
| |
+------+
|
internal|
lan |
The linux default gateway point to the hdsl
router. I want to redirect the squid http
traffic (running on the same host) to the adsl
line. So I create a routing table (adsl table)
and I put a default route to the adsl router.
I mark the http traffic. I insert a rule
based on fwmark which select the 'adsl table'.
So far, so good. But, squid will select the
source ip address from the hdsl network class,
because it is the default gateway.
Then, the local generated packets must be SNATed
with the adsl ip.
Is it clear?
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: routing policy based on u32 classifier
2007-12-10 9:22 Marco Berizzi
@ 2007-12-10 14:57 ` Brian S Julin
2007-12-10 15:20 ` Marco Berizzi
0 siblings, 1 reply; 6+ messages in thread
From: Brian S Julin @ 2007-12-10 14:57 UTC (permalink / raw)
To: Marco Berizzi, netdev
Marco wrote:
> Hello everybody.
> Kindly, I would like to know if the is any plan to add this feature to a future kernel release.
> I know that fwmark is able to do this, but there is the limitation in source ip address selection.
Could you explain the limitation? My iptables manpage seems to suggest
that u32 is pretty general. Are you just asking if the pom-ng ipt_u32
will be mainlined?
^ permalink raw reply [flat|nested] 6+ messages in thread
* routing policy based on u32 classifier
@ 2007-12-10 9:22 Marco Berizzi
2007-12-10 14:57 ` Brian S Julin
0 siblings, 1 reply; 6+ messages in thread
From: Marco Berizzi @ 2007-12-10 9:22 UTC (permalink / raw)
To: netdev
Hello everybody.
Kindly, I would like to know if the is any plan
to add this feature to a future kernel release.
I know that fwmark is able to do this, but there
is the limitation in source ip address selection.
TIA
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-02-01 10:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-01 10:34 routing policy based on u32 classifier pupilla
-- strict thread matches above, loose matches on Subject: below --
2007-12-10 9:22 Marco Berizzi
2007-12-10 14:57 ` Brian S Julin
2007-12-10 15:20 ` Marco Berizzi
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275DE@john.ad.clarku.edu>
2007-12-10 16:09 ` Marco Berizzi
[not found] ` <5A630F46702DD1498FFD48394B4A664C347275E0@john.ad.clarku.edu>
2007-12-11 11:11 ` Marco Berizzi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.