On 10/04/2014 23:23, Bart Kus wrote:
At step (c) the packet matched a route that is associated with an IPIP tunnel. The inner headers are from-44.whatever and to-44.24.240.0/20. When that match is made, the packet is IPIP encapsulated, and given new outer src/dst IPs. The dst-IP in this case should be 44.24.221.1, and the src-IP should be whatever local-address was configured for the IPIP tunnel (which should be routable over his public ISP). Then the router has to make a 2nd routing decision about how to deliver to 44.24.221.1. In this case, it should match default route (0.0.0.0/0).
I think the issues still come because of BCP38.
44GW have access to the commercial Internet and 44net, so you need to apply source and destination based routing rules. In general you will
1) handle traffic with an ORIGIN within 44/8 in a dedicated routing table 2) handle traffic with a DESTINATION within 44/8 in a dedicated routing table
So once the IPIP packet towards your 44GW has been created and the SOURCE is a commercial IP address and the DESTINATION is a 44net address. Rule 2) from above will kick in. As your network 44.24.221.0/24 is not in the encap file, there is no route in the dedicated routing table and as such the traffic travel via the default route in the dedicated routing table. That default route within the dedicated routing table goes via UCSD because of BCP38.
So what you are asking is to ignore routing rule (ip rule NOT ip route) once a packet has been encapsulated into IPIP. This seems to be difficult using the current code, there might be a possibility using iptables and packet marking. Another solution would be to specifically exclude your 44GW ip address (44.24.221.1) from rule 2) (and 1) if I happen to apply the same implementation than yours).
73 de Marc