Date: Tue, 22 Apr 2014 18:37:14 +0200 From: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> To: freebsd-stable@freebsd.org Cc: freebsd-net@freebsd.org Subject: Deleting IPv4 iface-routes from extra FIBs Message-ID: <53569ABA.60007@omnilan.de>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig12E99B1A277853E263555BCD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello, here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D248895 interface route protection was added (so the following problem arose with 9.2). Unfortunately, in my case, I must be able to delete these routes; not in the default FIB, but in jail's fibs, because: =C2=B7 Host is multihomed with multiple nics in different subnets. =C2=B7 Jail's IP (no vnet) is from a different subnet than host's default-router subnet =E2=80=93 jail has no ip in the range of host's default-router!!! =C2=B7 FIB used by jail contains valid default-router. Problem: If iface-routes exist in jail's FIB, answer-packets take the iface-shortcut, not trespassing the router (default gateway); hence 3way-handshake never finishes and firewall terminates (half-opened) TCP sessions. Workarround: =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-routes= can be deleted without any hack) Desired solution: =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. Unfortunately my C skills don't allow me to implement this myself :-( I can't even follow the code, I guess that was originally considered, but possibly doesn't work bacause of a simple bug?!? I took the lazy way and simply reverted r248895 instead of trying to understand rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 Thanks for any help, -Harry --------------enig12E99B1A277853E263555BCD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlNWmsAACgkQLDqVQ9VXb8gAKACgowI4hoEKxrcWp0DrnUv+dXQS Nx4AoLJV8GyX4g0xPA5MIv1v1qOTaCOJ =CDJ2 -----END PGP SIGNATURE----- --------------enig12E99B1A277853E263555BCD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53569ABA.60007>