Re: 2.4.23 masquerading broken? key.oif = 0;

[Martin Josefsson]

On Tue, 9 Dec 2003, Neal Stephenson wrote:

> iptables -t mangle -A PREROUTING --protocol tcp --destination-port 80 -j
> MARK --set-mark 0x932
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> ip rule add pri 424 iif eth0 fwmark 0x932 table symp
>
> 	and this is what shows up in dmesg
>
> MASQUERADE: Route sent us somewhere else.
>
> 	Any suggestions appreciated,

Try adding "-i eth0" to the mangle/PREROUTING rule
and remove "iif eth0" in the iproute rule.

I think the problem is that when the packet is routed it follows the
iproute rule and goes to the "symp" table.
But when ipt_MASQUERADE.c does another lookup to get the local
source-address of the route that this packet will match we don't have the
input-interface anymore, and thus matches another rule/route. So change
the fwmark to include the input interface.

This is just a theory, I know too little about your routingtables to say
anything more specific.

(The earlier behaviour was incorrect, ipt_MASQUERADE.c ignored
policy-routing which broke things. Now it should be a lot more sane, but
does unexpected things in some cases, like yours :)

/Martin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/