Source address assignment

Vries, Rein de rjfdevries@seneca.nl
Thu, 2 Aug 2001 11:22:17 +0200 

Dear,

In Section 3 of Rusty Russells Linux netfilter Hacking HOWTO it is stated
that routing code is called _BEFORE_
the NF_IP_LOCAL_OUT hook is called, in order to assign a source address to a
packet issued by e.g. squid or
any other deamon issueing packets to networking.

Is this really true or am i misinterpreting this section?

If this is the reality I like to make a suggestion to the developers of
netfilter/iptables to allow marking (fwmark) before
the source address is assigned.
The reason for this suggestion is the following. I would like to be able to
route traffic generated by proxies on my
firewall on the basis of destination port in combination with destination
address. It could/should work like this
(the IP addresses are 'random'):

boris:/etc/iproute2 # ip rule
0:      from all lookup local 
3000:   from all lookup main 
4000:   from all fwmark        1 lookup internet_connection_2 
5000:   from all lookup internet_connection_main 

boris:/etc/iproute2 # ip route show table main
212.241.155.96/28 dev eth2  proto kernel  scope link  src 212.241.155.110 
195.156.176.240/28 dev eth0  proto kernel  scope link  src 195.156.176.242 
192.31.141.0/24 dev eth1  proto kernel  scope link  src 192.31.141.17 
172.16.0.0/16 dev eth3  proto kernel  scope link  src 172.16.0.1 

boris:/etc/iproute2 # ip route show table internet_connection_main 
default via 195.156.176.254 dev eth0 

boris:/etc/iproute2 # ip route show table internet_connection_2
default via 212.241.155.97 dev eth2 

boris:/etc/iproute2 # iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 5000970 packets, 3216012435 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 5786895 packets, 3088500583 bytes)
 pkts bytes target     prot opt in     out     source
destination         
1324K   85M MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x1

-> So HTTP packets not destined to local subnets pass rule 0 and 3000 and
are
(wishfull thinking) send by rule 4000 to the second internet connection 
(internet_connection_2), not the main (default) one. Rule 5000 above is the 
"gateway of last resort" catcher. Rule 3000 (table Main) routes anything
destined
to the local subnets (connected to the firewall).

HTTP packets from squid destined to a webserver e.g. on subnet
195.156.176.240/28
(local!) should have as their source address 195.156.176.242. HTTP packets
from 
squid destined to the internet travelling the second internet connection
should 
have 212.241.155.110 as their source address. First marking and then calling
the
routing code respecting the fwmark rule should assign the right address to
the
packets issued by squid. Or not?

Anyone?

Cheers,

Rein








-------------------------
Seneca Groep, Elektronicaweg 31, 2628 XG  DELFT
T: 015 2513700, F: 015 2513701, M: 06 2001 1493
E: rjfdevries@seneca.nl, W: www.seneca.nl