On 21.06.2025 19:05, Jozsef Kadlecsik wrote:
On Sat, 21 Jun 2025, Michael Tokarev wrote:
On 21.06.2025 17:42, Jozsef Kadlecsik wrote:
..
However, routing decisions can be affected by marking packets. So I'd mark
packets before routing and use routing tables according to the mark value.
The prob with replies to DNAted packets is that these packets traverse
routing rules first, BEFORE they're seen by netfilter code. Who can
mark them for routing if routing is done before it's in netfilter?
No, not at all. You can mark the incoming first packet, store the packet's
mark value in conntrack and restore from conntrack for the reply packets
in mangle/prerouting. Which is exactly that, before routing.
Why netfilter can't de-DNAT'ify this (reply) packet at this same place
where you suggest to apply the mark, so the routing see it in its final
form, and no jumping through hoops is needed for the user?
Thanks,
/mjt
