iptables ROUTE

Cedric de Launois delaunois at info.ucl.ac.be
Mon Jan 10 11:07:42 CET 2005 

Le vendredi 07 janvier 2005 à 05:01 +0200, Tadas a écrit :
> Hi,

Hi, comments below...

> I am using your iptables ROUTE module quite much, it is very usefull thing
> which alows to do what most of people cant even imagine.
> i prefer to use iptables route instead of linux native routing, because it
> is more flexibe. --tee option should allow to fix multicast routing problem
> now there is no way to route such traffic on linux

You should also direct your mail to Patrick Schaaf, who coded the --tee
option.

> But something is wrong with --tee option, as I aunderstand it should not
> affect anything, but packet disapears instead, and goes nowhere.
> everything elese is working. I am using little old kernel 2.4.22 but that
> should not be problem.
>  I used latest source code from CVS
> 
> also seems this module somehow incorrectly handle multicat traffic,  even
> without tee option it should be able to forward it ,
> but I dont see anything on other side.
> I am not sure is there are no other problems, why this dont work. So I will
> check everything again, but seems there is some problems wih ROUTE module

This option wasn't intented to solve multicast routing issues,
so I'm not surprised of your problems. 

> Now I did not have time to fix these problems myself, you probably can do
> that much easer, because you know better your own code.
> also I think one more option is needed: now tee can only copy and send
> immediately, what is not enough, because it may be nesecary to mangle packet
> before sending.
> the most easy way is to send copied packet to some iptables chain instead of
> sending to interface. probably this is even more easy to implement. and much
> more flexible.
> because we can mark and  route that copy anytime then.

My feeling is also that we need something more flexible, like a target that
duplicates a packet and sets a mark to it, so that further rules can be applied.
Patrick : would this king of target fill your needs ?

> I am going to write some iptables extensions too, but little later.

What about a 'DUP' target ?

Cedric

More information about the netfilter-devel mailing list