<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - IPMasquerade=yes should create -o rules (instead of -s)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90282">90282</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>IPMasquerade=yes should create -o rules (instead of -s)
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>radek@podgorny.cz
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>consider the following situation:

router with interfaces as follows:
  lan: 10.25.3.1/24
  isp1: some public address
  isp2: 10.25.254.1/30 (with the entire 10.0.0.0/8 behind it - this is just a
peer-to-peer link)

now, i want the traffic to isp1 to be masqueraded but not the traffic to isp2
because i'm a part of the 10./8 "internet" (there are routes on the other side
that lead to me, too).

with current systemd (219) i have to set ipmaquerade for the lan interface
which adds the "-s 10.25.3.1/25" rule. this is imho wrong (reversed) since
masquerading should be decided depending on the destination, not the source. so
the "correct" way should be to set ipmasquerade for isp1 which should create
the "-o isp1" rule.

also, even if i'm wrong, wouldn't it make more sense to create at least a "-i
lan" rule? what is it based on addresses and not the interface?

thanks.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>