[tproxy] Funny Tproxy ISSUE with ip route lost communication
KOVACS Krisztian
hidden at balabit.hu
Fri Jan 8 17:32:50 CET 2010
Hi,
On 01/07/2010 11:56 AM, Luiz Biazus wrote:
> let me explain what is funny
> i have this plataform:
>
> ubuntu 9.04
> kernel 2.6.32
> iptables 1.4.6
> squid 3.1 running in port 8012
>
> [...]
>
> until here all is OK even i can UP all this rulles that i discribe
> before and every thing seems to be OK!
>
> BUT!
>
>
> if i up THIS RULES:
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> I LOST COMMUNICATION WITH MY PROXY
I'm afraid this was caused by Jamal's rp_filter change committed in
Linux 2.6.32.
You can find more information on the issue in the linux-netdev or tproxy
mailing list archives:
http://marc.info/?l=linux-netdev&m=125925598910379&w=2
This is expected to be fixed in an upcoming -stable release (2.6.32.z),
in the meantime you can use the workaround mentioned in that mail
thread: instead of the 'ip rule add fwmark 1 lookup 100' rule, you have
to use one rule per interface.
<quote>
The workaround is using more specific ip rules that include the ingress
interface name:
# ip rule add dev eth0 fwmark 1 lookup 100
(repeat the above for each interface except lo.)
</quote>
Hope this helps.
Cheers,
Krisztian
More information about the tproxy
mailing list