Hi, On szo, nov 28, 2009 at 10:45:57 -0500, jamal wrote:

...

However, with your change, and because of the ip rule above not being specific enough now it's returning with type RTN_LOCAL, and that's considered invalid and thus the skb is dropped.

Well, since we are validating a source address - only unicast routes are legitimate imo. i.e it was wrong to allow local before.

...

The workaround is using more specific ip rules that include the ingress interface name:

# ip rule add dev eth0 fwmark 1 lookup 100

Or adding routes into table 100 with type "unicast" would do it as well.

Well, the only route we're interested in is the following (see Documentation/networking/tproxy.txt for the details): ip route add local 0.0.0.0/0 dev lo table 100 Adding a unicast route is not really an option, so I'd say the only workaround is modifying rules to include the ingress device names. -- KOVACS Krisztian