Date: Fri, 26 Apr 2024 10:58:53 -0500 From: Mike Karels <mike@karels.net> To: Gregory Shapiro <gshapiro@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Source IPv4 address selection vs BGP IX connection Message-ID: <D6BC356F-5B42-4F93-B511-58DCA1510D20@karels.net> In-Reply-To: <muipeuskrjbeb6krnprphzpfh5idf2xe4nxzmciocjccgrh2x7@kwv3gunsn5gp> References: <xrxvyz6h3t45tfbqxag2ueqe6ocg2myxhdg7kqsbjx6czj4xeo@jqwioylxcb2c> <202404241742.43OHghWB055177@gndrsh.dnsmgr.net> <3exr7zmcxnfxuofbyf57gdbzxxrgntprydeesbjsparq3xgeri@p4irynwruq7f> <9d8cbd3e-6531-5c2b-ce02-0ff056cc946b@redbarn.org> <muipeuskrjbeb6krnprphzpfh5idf2xe4nxzmciocjccgrh2x7@kwv3gunsn5gp>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 Apr 2024, at 15:56, Gregory Shapiro wrote: >> of course, gethostid(3) is now deprecated in favour of sysctl(3), and = the >> hostid(8) command is gone, and there's now more than one flavour of >> Internet-capable UNIX in the world, and there's more than one Internet= >> address family now. so what i did in 1990 is a guide only inasmuch as = some >> way should exist to change the default local address of a socket so th= at it >> isn't the address of the interface used for the destination. if that h= appens >> i hope we coordinate with Linux and with the other BSD's. > > Linux already has a model to give a hint for source address selection v= ia > route table "hints". When adding routes (either manually via `ip route= ' > or via things like bird2 BGP daemon), Linux supports setting a source I= P > for when that route is used. > > Interestingly, JunOS (which I believe is based on FreeBSD) also support= s > a way to specify a default IPv4 source address, preferring the primary = address > on lo0 that is not 127.0.0.1. It is a common practice for BGP systems = to > attach their announced IPs to the loopback interface. > > https://www.juniper.net/documentation/us/en/software/junos/cli-referenc= e/topics/ref/statement/default-address-selection-edit-system.html > > For the Linux and bird (BGP) documentation: > > Linux > ----- > http://linux-ip.net/html/tools-ip-route.html#ex-tools-ip-route-add-src > > "The src option provides a hint to the kernel for source address select= ion. When you are working with multiple routing tables and different clas= ses of traffic, you can ease your administrative burden, by hosting sever= al different IPs on your linux machine and setting the source address dif= ferently, depending on the type of traffic. > > In the example below, let's assume that our masquerading host also runs= a DNS resolver for the internal network and we have selected all of the = outbound DNS packets to be routed according to table 7 [53]. Now, any pac= ket which originates on this box (or is masqueraded through this table) w= ill have its source IP set to 205.254.211.198. > > Example D.19. Using src in a routing command with route add > > [root@masq-gw]# ip route add default via 205.254.211.254 src 205.254.21= 1.198 table 7 > " > > man ip-route > > "src ADDRESS > the source address to prefer when sending to the > destinations covered by the route prefix." When you first asked this question, my first thought was that this should= be in the routing table. It seems to me that choosing the source address= is more a function of the destination than of the process (vnet, jail, etc). In fact, this problem seemed familiar, so I went looking. It turn= s out that this feature has been available since 4.4BSD. route(8) has a keyword to do just this, -ifa (interface address). It onl= y seems to work when the alias is on the same interface. It also seems to be broken in -current and 14.0, but I got it to work with 13.3 and 12.4. While experimenting, I tried to use -ifp as well, but it seems to be igno= red; route add -ifp foobar ... does not fail. (12.4 got the interface wrong when the alias was on the loopback.) Anyone know why -ifa is ineffective in 14.0 and -current? It could be fallout from netlink. The documentation is weak at best; route(8) says only "the -ifp or -ifa modifiers may be used to determine the interface or interface address". "route get" does not display the ifa; I think it did at one time. I'll also note that binding the desired source address manually works; ping -S uses this. Mike > > Bird (BGP Daemon) > ---- > "The Kernel protocol defines several attributes. These attributes are t= ranslated to appropriate system (and OS-specific) route attributes. We su= pport these attributes: > .. > ip krt_prefsrc > (Linux) The preferred source address. Used in source address selection = for outgoing packets. Has to be one of the IP addresses of the router."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D6BC356F-5B42-4F93-B511-58DCA1510D20>