On Mon, Aug 30, 2004 at 10:39:20PM -0700, David S. Miller wrote:

quoted

If you're wondering why the second lookup is returning a different
interface at all, it's because the routing lookup in MASQUERADE is
done as if the packet was generated by localhost.  This is obviously
going to differ from the normal routing lookup if the packet was
forwarded.

I understand this description.

Would it be enough to set 'out' to rt->u.dst.dev after the call to
ip_route_output_key() in ipt_MASQUERADE.c?

Unfortunately no.  You see the result of ip_route_output_key() is
not used at all so you can set rt->u.dst.dev all you like and it
isn't going to make any difference :)

The only reason we're making that call in MASQUERADE is so that we
can get the source address from the resulting dst.

Now if the dst is pointing to the wrong device, then that source
address may be invalid.

In fact I wonder if Alexey was aware of the fact that this dst is
not going to be used for routing the packet.  It's thrown away
immediately after we get the source address.

In this case I really don't see what's wrong with setting oif in
the key.  In fact that's exactly what we want to do: Get the
preferred source address when the localhost is going to send
a packet to *that* device.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt