I really believe this is a BUG, tell me if I'm wrong please. If I add a routing info in adsl table that forces *all* packets for test_ip to go throught isdn router I do see icmp reply.
If I don't add 'ip route add host IP ...' the packets go the same way (becouse of 'ip rule fwmark staff' + ip -t mangle...) but then they don't show up (ie: they come back, but are discarded, as explained below) sandro *%-/ > when pinging a test host I see 'icmp reply' getting back with tcpdump but > ping doesn't show them. What is in the middle (between tcpdump and ping)? > > > > The setup > --------- > > I have a firewall with 2 gateways, adsl and isdn. Main gateway is via > adsl, backup via isdn. I setup 2 table 'adsl' and 'isdn'. You can find a > description below. > > I made a script to test both tables. That mainly > 1. adds an > iptables -t mangle -A OUTPUT -d my_test_ping_node -j MARK --set-mark > 3 > 2. adds: > ip rule add fwmark 3 table isdn > 3. ip route flush cloned > 4. ping to my_test_ping_node (here 217.27.90.70) > > > I correctly obtain that ping packets go to the router, reach the test, > get back to the interface... but ping doesn't show anything > > > I see them w/ tcpdump on the firewall: > > 12:42:00.671314 IP 192.168.111.1 > 217.27.90.70: icmp 64: echo request seq 1 > 12:42:00.720840 IP 217.27.90.70 > 192.168.111.1: icmp 64: echo reply seq 1 > > I'm sure i'm not firewalling (I use log, and nothing gets logged). If I > change default route to isdn, ping works correctly. > > This is not the first time I get into this situation, but I never > understood what solved it. > > I'm convinced it is a routing problem, but I'm clueless: what can it be in > between the packet as seen by tcpdump and the fact that ping shows it? > > Why should the kernel fail understanding it is for itself? > > Is there a way to see which rule a packet is really using? > > Thanks a lot for any possible explanation > sandro > *:-) > > > lo: 127.0.0.1/8 > [eth0]: > eth1: 192.168.11.254/24 > eth2: 80.20.60.252/29 ==> GW 80.20.60.249 - main adsl > eth3: 192.168.111.1/24 ==> GW 192.168.111.254 - isdn > [eth4]: > > ### TABLE main: > > 80.20.60.248/29 dev eth2 proto kernel scope link src 80.20.60.252 > 192.168.111.0/24 dev eth3 proto kernel scope link src 192.168.111.1 > 192.168.11.0/24 dev eth1 proto kernel scope link src 192.168.11.254 > default via 80.20.60.249 dev eth2 > > ### TABLE adsl: > 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 > 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 > 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 > default via 80.20.60.249 dev eth2 > > ### TABLE isdn: > 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 > 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 > 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 > default via 192.168.111.254 dev eth3 > ### RULES: > > 0: from all lookup local > 39: from all fwmark 0x3 lookup isdn > 40: from 80.20.60.248/29 lookup adsl > 41: from 192.168.111.0/24 lookup isdn > 48: from 192.168.11.0/24 lookup adsl > 50: from all iif eth3 lookup isdn > 52: from all iif eth2 lookup adsl > 32766: from all lookup main > 32767: from all lookup default > > > > > -- > Sandro Dentella *:-) > e-mail: [EMAIL PROTECTED] > http://www.tksql.org TkSQL Home page - My GPL work > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Sandro Dentella *:-) e-mail: [EMAIL PROTECTED] http://www.tksql.org TkSQL Home page - My GPL work - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
