On 21.06.2025 17:42, Jozsef Kadlecsik wrote: ...
From netfilter point of view routing is a completely independent, "black box" system. We can operate before and after routing but we cannot jump to "hooks" in routing because there isn't any there.
This kinda defeats the purpose, I think, as demonstrated by this situation. Original issue was that checking for martians is done after netfilter modified the packet, which is rather pointless, and it is a fundamental thing: it's the original addresses which should be checked for martians, not the altered ones. Can this ever be done, -- first the rp filter is applied, next the NAT table is consulted, and next regular routing is done to the resulting packet? Current, more serious issue - wrong routing of replies to DNATed packets - is actually the same, - the de-NATing of replies should be done before the routing, while it is done after.
However, routing decisions can be affected by marking packets. So I'd mark packets before routing and use routing tables according to the mark value.
It is probably possible to do, I think, but it becomes too complex to be practical. Why can't we fix the order instead and make it to work in a natural, expected way? Thanks, /mjt
