On 09/02/2015 01:31 PM, Gianfranco Casanova wrote: >> On 02 Sep 2015, at 12:09, Daniel Wagner <[email protected]> wrote: >> The reason why we need to send the packets through SNAT is that the >> rerouting lookup will only happen if the packets have been touched by >> the SNAT rule. It is a workaround. > > This is the reason why I was trying to see if the SNAT can also be > avoided forcing since the beginning the src correct.
No SNAT can't be avoided in the current setup. The routing lookup happens before the marking. >> BTW, cgroups allow to attach eBPF since quite recently. With that we >> could write an eBPF which sets the marker for all applications in a >> given cgroup. The policy routing table would just work fine, no need to >> do the trick via SNAT to get through the rerouting. > > For this I’m not sure it look to me the MARKING can just mark > packets if the wrong SRC is used they are not rerouted afterword. I think you confuse stuff here a bit. Marking, routing and rerouting happens in a well defined order. with SNAT: routing -> marking (iptables) -> SNAT -> rerouting as you can see the first routing is overwritten later by rerouting but only if SNAT is involved. with eBPF (sets the socket option) marking (SO_MARK) -> routing You can test that by writing a simple test program which sets SO_MARK correctly and you don't need the iptables magic at all. _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
