[tproxy] Fwd: Funny Tproxy ISSUE with ip route lost communication
Luiz Biazus
luiz at biazus.com
Fri Jan 8 19:51:45 CET 2010
Thanks for Reply Krisztian
after i insert this rules:
ip rule add dev eth0 fwmark 1 lookup 100
ip rule add dev eth1 fwmark 1 lookup 100
ip rule add dev br0 fwmark 1 lookup 100
i must to insert this route:
ip route add local 0.0.0.0/0 dev lo table 100
or dont?
2010/1/8 KOVACS Krisztian <hidden at balabit.hu>:
> Hi,
>
> On 01/07/2010 11:56 AM, Luiz Biazus wrote:
>>
>> let me explain what is funny
>> i have this plataform:
>>
>> ubuntu 9.04
>> kernel 2.6.32
>> iptables 1.4.6
>> squid 3.1 running in port 8012
>
>>
>> [...]
>>
>> until here all is OK even i can UP all this rulles that i discribe
>> before and every thing seems to be OK!
>>
>> BUT!
>>
>>
>> if i up THIS RULES:
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> I LOST COMMUNICATION WITH MY PROXY
>
> I'm afraid this was caused by Jamal's rp_filter change committed in Linux
> 2.6.32.
>
> You can find more information on the issue in the linux-netdev or tproxy
> mailing list archives:
>
> http://marc.info/?l=linux-netdev&m=125925598910379&w=2
>
> This is expected to be fixed in an upcoming -stable release (2.6.32.z), in
> the meantime you can use the workaround mentioned in that mail thread:
> instead of the 'ip rule add fwmark 1 lookup 100' rule, you have to use one
> rule per interface.
>
> <quote>
> The workaround is using more specific ip rules that include the ingress
> interface name:
>
> # ip rule add dev eth0 fwmark 1 lookup 100
>
> (repeat the above for each interface except lo.)
> </quote>
>
> Hope this helps.
>
> Cheers,
> Krisztian
>
More information about the tproxy
mailing list