search

openinfrastructure / terraform-google-multinic

Connect two VPC networks with an auto-healing, auto-scaling group of IP router instances.
Apache License 2.0
10 stars 5 forks source link

Replace iptables fwmark with iproute2 rule #11

Closed jeffmccune closed 4 years ago

jeffmccune commented 4 years ago

Iptables marking is unnecessary and introduces a dependency on netfilter. To eliminate this dependency, switch to using iproute2 rules to implement the "virtual wire"

ip rule add from all iif eth0 lookup viaeth1
ip rule add from all iif eth1 lookup viaeth0

See ip-rule

          iif NAME

select the incoming device to match. If the interface is loopback, the rule only matches packets originating from this host. This means that you may create separate routing tables for forwarded and local packets and, hence, completely segregate them.

jeffmccune commented 4 years ago

Fix this and added restart behavior. Rules and routes don't pile up:

(sudo ip rule list; sudo ip route list table all) > before.txt
sudo systemctl restart policy-routing
(sudo ip rule list; sudo ip route list table all) > after.txt

There's no difference between before.txt and after.txt