<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:lennart@poettering.net" title="Lennart Poettering <lennart@poettering.net>"> <span class="fn">Lennart Poettering</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED FIXED - IPMasquerade=yes should create -o rules (instead of -s)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90282">bug 90282</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Status</td>
           <td>NEW
           </td>
           <td>RESOLVED
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">Resolution</td>
           <td>---
           </td>
           <td>FIXED
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED FIXED - IPMasquerade=yes should create -o rules (instead of -s)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90282#c1">Comment # 1</a>
              on <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED FIXED - IPMasquerade=yes should create -o rules (instead of -s)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90282">bug 90282</a>
              from <span class="vcard"><a class="email" href="mailto:lennart@poettering.net" title="Lennart Poettering <lennart@poettering.net>"> <span class="fn">Lennart Poettering</span></a>
</span></b>
        <pre>IPMasquerade= is a setting you set on the *internal* interface, not the
external one. It however results in IP tables rules that are processed on the
*external* interfaces, not the internal one. When the packets are processed by
the kernel on the external interface, then the incoming interface information
is unavailable (which is a kernel limitation), hence we match on the source
address instead. 

Just think of a setup with two internal interfaces (which is common for example
for container setups where each container has its own veth link): for one of
the internal interfaces IPMAsquerade is set, for the other it isn't. Now you
need to write rules that clearly only apply to the packets from the interface
where it is set. Hence the source iP address range check.

Yupp, it would be good if we could match against the source interface instead
for the MASQUERADE rules. But we cannot, the kernel simply does not allow such
matches. Sorry.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>