From owner-freebsd-net@FreeBSD.ORG Wed Dec 3 11:05:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD2C31065675 for ; Wed, 3 Dec 2008 11:05:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0D88FC1B for ; Wed, 3 Dec 2008 11:05:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C1BFB41C6A3; Wed, 3 Dec 2008 12:05:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id RDWZdBuC1q0e; Wed, 3 Dec 2008 12:05:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 6396241C6A1; Wed, 3 Dec 2008 12:05:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 489844448D5; Wed, 3 Dec 2008 11:03:06 +0000 (UTC) Date: Wed, 3 Dec 2008 11:03:05 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Frank Behrens In-Reply-To: <200811280653.mAS6r1P3014050@post.behrens.de> Message-ID: <20081203104040.D80401@maildrop.int.zabbadoz.net> References: <200811271542.mARFgglB004902@post.behrens.de> <200811280653.mAS6r1P3014050@post.behrens.de> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: Problem with new source address selection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2008 11:05:08 -0000 On Fri, 28 Nov 2008, Frank Behrens wrote: Hi, > Bjoern A. Zeeb wrote on 27 Nov 2008 16:47: >>> Now I want to tunnel between my 192.168.90.0/24 and a foreign >>> 192.168.200.0/24. So I assigned 192.168.90.254/32 to lo2 and created >>> a static route. >> >> So if you don't mind to go out with a source address of 192.168.90.1 >> instead of .254, what about this hack. What happens if you change the >> route to >> route change -net 192.168.200.0/24 192.168.90.2 >> (assuming the .2 is not on your local machine). > > That works for the router, but for incoming packets on the internal > interface (from -net 192.168.90.0/24) the machine will send an ICMP > redirect to new router 192.168.90.2. Of course that is a black hole. > When I use the route to own interface address > (route change -net 192.168.200.0/24 192.168.90.1) it works, but also > for every incoming packet an ICMP redirect is sent. So that solution > is a workaround for short time only. You can disable icmp redircts entirely but not sure if soemthing else would stop working in your network topology then. sysctl net.inet.ip.redirect > Does anybody have a better solution for source address selection? Am > I the only one with an IPSEC tunnel? The best solution actually is to teach your application to bind for this connection I guess instead of relying on any hack. When it comes to the source address selection I am tempted to answer with: I am willing to still allow this in 7 to not break production setups but I am inclined to not change HEAD and keep the behavior dropped there. See patch below, which basically is what you had with the version check and the if (ia == NULL) check to not blindly overwrite if we had found anything closer (untested). Currently trying to discuss this with people. ------------------------------------------------------------------------ Index: sys/netinet/in_pcb.c =================================================================== --- sys/netinet/in_pcb.c (revision 185571) +++ sys/netinet/in_pcb.c (working copy) @@ -696,6 +696,10 @@ ia = ifatoia(ifa_ifwithnet(sintosa(&sain))); if (cred == NULL || !jailed(cred)) { +#if __FreeBSD_version < 800000 + if (ia == NULL) + ia = (struct in_ifaddr *)sro.ro_rt->rt_ifa; +#endif if (ia == NULL) { error = ENETUNREACH; goto done; ------------------------------------------------------------------------ /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.