* netfilter masquerade source address selection doesn't account for PBR
@ 2022-03-21 0:42 Christoph Grenz
0 siblings, 0 replies; only message in thread
From: Christoph Grenz @ 2022-03-21 0:42 UTC (permalink / raw)
To: netdev
Hello,
I noticed that the masquerade target for IPv4 doesn't account for policy based
routing when selecting the new source address.
E.g. if you have two public IP addresses 203.0.113.1 and 203.0.113.2
configured and masquerade traffic coming from interfaces veth0 and veth1 and
you want to select the outgoing public IP address based on the incoming
interface, then neither of these commands influence the source address
selection:
ip route add default via [...] src 203.0.113.2 table 101
ip rule add iif veth1 table 101 priority 101
ip route add default via [...] src 203.0.113.2 table 101
ip rule add from 192.168.1.0/24 table 101 priority 101
As far as I read the code, the source address is selected in
nf_nat_masquerade.c using
newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
and this seems to select an address as it would for a locally generated
packet. Policies other than the preferred source address take effect as they
are handled elsewhere.
The only workaround I found is explicitly using SNAT instead of MASQ.
Is this an oversight or expected behavior?
Best regards
Christoph Grenz
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-21 0:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 0:42 netfilter masquerade source address selection doesn't account for PBR Christoph Grenz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).