Ming-Ching Tiew írta:
From: "KOVACS Krisztian" <hidden@sch.bme.hu>
Could you try if applying the attached patch on top of 4.0.3 helps you with SNAT? (The patch is completely untested but at the moment I can't do any testing.)
I have got more conclusive testing results now after doing further isolation of the problem :-
1. The packet path for SNAT works now.
2. The packet path without SNAT has problem working together with 'mangle' table OUTPUT chain ( maybe also with other chains in the mangle table as well).
It happens that I have iptables command which mark the packets on the OUTPUT chain, then squid will fail to work. If I flush the entire OUTPUT chain in the mangle table, then squid will work.
However I am doing policy routing, I hope to use the fwmark to route the packets accordingly.
I guess it is because tproxy is sharing the mark values with all other packet mark and as soon as something else is making a mark, it will mess up tproxy ?
In 4.0.3 the fwmark is not used by tproxy, another value is used for it: sk_buff.tproxy With the tproxy match it should work, currently I don't see what can be the problem. The policy/fwmark usage is propably independent from it. -- Panther