Re: Kernel Routing sequence
From: Henrik Nordstrom
Date: Mon Aug 15 2005 - 15:53:59 EST
On Mon, 15 Aug 2005, Al Boldi wrote:
Soininen Jonne (Nokia-NET/Helsinki) wrote:
Al, why are you worried that the echo reply goes out from a
different interface? It might be easier to understand what you want
if we would understand the problem.
The problem is that the kernel is routing according to a fixed view of
allowed subnets, ie: overlapping subnets are not treated distinctly.
It should be possible for the kernel to detect an IP subnet-collision
on packet pickup, something like:
eth0 is listening on 10.0.0.0/8
eth0 picks up 10.0.1.2 on 10.0.0.0/8
kernel checks the route table
kernel discovers collision with 10.0.1.0/24 on eth1
kernel adds 10.0.1.2/32 route on eth0 to ensure correct routing for
And what do you propose it is supposed to do when it later sees a packet
from 10.0.1.2 on eth1?
What you are looking for above is policy routing as mentioned numerous
times in this discussion. With policy routing you simply define that
return traffic from 10.0.0.1 (eth1) to 10.X goes out on eth0 and things
just works with the only restriction that clients on eth1 (10.0.1.2/24)
should talk to 10.0.1.2 and clients on eth0 (10.0.0.1/8) should talk to
The Linux kernel is not at all fixed in these views, but the default view
is that one subnet exists in a single place only. If your network policy
does not fit this for whatever reason then policy based routing can often
solve your routing needs. And when policy routing alone is not sufficient
iptables MARK and CONNMARK can help providing additional feedback to the
routing based on previous events seen for the traffic flow.
If policy based routing + CONNMARK can not solve your problem then you are
way too deep out in a big mess and really should consider redesign
the network, or when that is not possible how you connect to it.
If you at all need to look at these features (policy routing and
especially in combination with CONNMARK) then you are already in quite
deep murky waters, and should consider redesigning your network.
But all of this can be adjusted to your liking. Even the hard restriction
mentioned earlier that no clients may use an address which is assigned to
a local interface. It is mostly a matter of making your routing policy
correct. You can even run a Linux box with the same IP (lets say
172.16.0.1) assigned on two different interfaces each connecting to
different clients networks both sharing another IP (lets say 172.16.0.2).
There is only some restrictions on TCP/IP reliability in such
configurations if the clients happens to select the same client side port
in their connections to the server, but for most time it just works.
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html