[systemd-bugs] [Bug 90282] IPMasquerade=yes should create -o rules (instead of -s)

Sun May 3 07:23:03 PDT 2015

https://bugs.freedesktop.org/show_bug.cgi?id=90282

Lennart Poettering <lennart at poettering.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Lennart Poettering <lennart at poettering.net> ---
IPMasquerade= is a setting you set on the *internal* interface, not the
external one. It however results in IP tables rules that are processed on the
*external* interfaces, not the internal one. When the packets are processed by
the kernel on the external interface, then the incoming interface information
is unavailable (which is a kernel limitation), hence we match on the source
address instead. 

Just think of a setup with two internal interfaces (which is common for example
for container setups where each container has its own veth link): for one of
the internal interfaces IPMAsquerade is set, for the other it isn't. Now you
need to write rules that clearly only apply to the packets from the interface
where it is set. Hence the source iP address range check.

Yupp, it would be good if we could match against the source interface instead
for the MASQUERADE rules. But we cannot, the kernel simply does not allow such
matches. Sorry.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20150503/200ae8e8/attachment.html>