On 21.06.2025 03:48, Sunny73Cr wrote:
Hi,
from hostINT back to extIP, gets routed to gw1 through eth1
Looks like the default route for 'any' source has too much priority; without looking at the code, it seems that the assumption is that there's no point checking the other routes, if there is an 'any' route. I suggest removing the 'any' route and relying on SNAT for 'hidden' clients. Add more routing rules if neccessary.
Unfortunately there's no way to remove the "any" route
or make its priority lower:
# ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
32770: from ip1 lookup table1 proto static
32780: from ip2 lookup table2 proto static
32790: from all lookup table1 proto static
# ip route list table table1
default via gw1 dev eth1 proto static
# ip route list table table2
default via gw2 dev eth2 proto static
It is the rule 32790 which kicks in *before*
reverse-DNAT (for replies, SNAT), while it should
be consulted after SNAT.
(There's no "default" route in main table. It
has regular local routing information for locally
connected and inter-connected networks, there's
nothing relevant in it for the packets in question).
The problem is that I can't change order of snat vs
order of routing, no matter how I change priorities
of the rules. Or I don't see a way to do this.
Thanks,
/mjt
