Date: Tue, 12 Dec 2017 07:15:51 -0800 (PST) From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-net@freebsd.org Subject: Re: Changes to route(8) or routing between r325235 and r326782? Message-ID: <201712121515.vBCFFpng086723@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <2c4c5a4a-fd7c-9787-567d-a6e14e780e4c@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
[ Charset UTF-8 unsupported, converting... ] > On 12.12.17 03:31, Thomas Steen Rasmussen wrote: > > Hello list :) > > > > "Something" which changes how routing works has landed in 11-STABLE > > between r325235 and r326782. > > > > Until now I have had a script which deletes routing table entries which > > point to lo0, in order to keep traffic from "shortcutting" over lo0, to > > make it possible to use pf to filter traffic between jails. This script > > has worked for years, but has now stopped working after upgrading from > > r325235 to r326782. Can someone enlighten me as to what changed, and why? > > > > Background/example: I add 185.96.180.10/32 as an alias on an interface, > > lagg0.1171. This creates two routing table entries: > > > > 185.96.180.10????? link#11??????????? UHS???????? lo0 > > 185.96.180.10/32?? link#11??????????? U????? lagg0.1171 > > > > If I leave this as-is the traffic from other jails use lo0 to reach > > 185.96.180.10 meaning they bypass pf entirely. To avoid this I simply > > delete the route on lo0, which makes stuff behave as I would expect - > > traffic to 185.96.180.10 goes via lagg0.1171 meaning I can filter in pf > > as needed. > > > > After upgrading to r326782 I get the following error when trying to > > delete the lo0 entry (I have an rc.d script to do it): > > > > $ sudo route delete 185.96.180.10 > > route: writing to routing socket: Address already in use > > delete host 185.96.180.10 fib 0: gateway uses the same route > > $ > > > > What gives? What do I do now? :) > > The FreeBSD kernel had a bug that you relied on. The bug got fixed and > the fix broke your script. The proper solution is to filter on lo0. I > suspect that your pf.conf includes "skip on lo0" replace this by the > filtering you want to apply to traffic on lo0. Putting those rules in an > anchor block probably will make your ruleset a lot easier to maintain. The FreeBSD kernel now has a BIGGER bug, it now totally ignores the user's specified routing policy and makes routing policy decissions of its own, thinking that it knows what is best for the user. The whole maintain_loopback_route should be KILLED from the kernel, it is simply the wrong thing to be doing. -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712121515.vBCFFpng086723>