On Sat, 2007-02-10 at 02:29 +0000, Andrew Suffield wrote: > Not directly AFAIK - the destination address is used only to consider > whether the source address is routable (ie, if you're using source > routing). 'Martian' is conceptually a collection of vaguely related > objections to the source address.
Right.
> Only if it didn't match any other routes
Ahhh. This switches on a lightbulb above my head...
> From one
> of your earlier mails, don't you have a source route for 66.11.173.224
> that sends it out ppp0?
I don't think so.
But given this concept of "Only if it didn't match any other routes" and
the fact that at times I will get these martian errors and other times
not, for the exact same packet sequence, check this out...
# ip route get 64.86.88.116
64.86.88.116 via 192.168.200.1 dev ppp0 src 66.11.173.224
cache mtu 1452 advmss 1412 metric 10 64
# ip route get 64.86.88.116
64.86.88.116 via 192.168.200.1 dev ppp0 src 66.11.173.224
cache mtu 1452 advmss 1412 metric 10 64
# ip route get 64.86.88.116
64.86.88.116 via 192.168.200.1 dev ppp0 src 66.11.173.224
cache mtu 1452 advmss 1412 metric 10 64
# ip route get 64.86.88.116
64.86.88.116 via 192.168.200.1 dev ppp0 src 72.38.184.236
cache mtu 1452 advmss 1412 metric 10 64
That is simply executing the same command over and over again over a
period of about 10-15 seconds. This appears to be the dual default
route and load balancing at play... choosing a different default route
at different times.
If the kernel does essentially the same as this "ip route get" when
determining if an inbound packet is routable through the interface it
came in on I can see how it would fail and think it's a martian.
What might be happening is that at a moment in time when the kernel is
seeing the ppp0 route as the default and shorewall is defeating that
default route through the FAQ #58 "forcing a default" route (i.e.
through tcrules) it could determine that a packet arriving on eth1 is
martian.
Sound too funky?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
