From owner-freebsd-net@FreeBSD.ORG Wed Apr 23 22:18:00 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D890282 for ; Wed, 23 Apr 2014 22:18:00 +0000 (UTC) Received: from smtp.webfaction.com (mail6.webfaction.com [74.55.86.74]) by mx1.freebsd.org (Postfix) with ESMTP id EA2AA1E63 for ; Wed, 23 Apr 2014 22:17:59 +0000 (UTC) Received: from [192.168.192.72] (unknown [120.136.4.251]) by smtp.webfaction.com (Postfix) with ESMTP id 781B020C07BC for ; Wed, 23 Apr 2014 21:56:04 +0000 (UTC) Message-ID: <535836F1.5070508@nevermind.co.nz> Date: Thu, 24 Apr 2014 09:56:01 +1200 From: Chris Smith User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Deleting IPv4 iface-routes from extra FIBs References: <53569ABA.60007@omnilan.de> <535771F3.4070007@freebsd.org> In-Reply-To: <535771F3.4070007@freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 22:18:00 -0000 On 23/04/14 19:55, Julian Elischer wrote: > On 4/23/14, 4:38 AM, Nikolay Denev wrote: >> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >> wrote: >>> Hello, >>> >>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >>> interface route protection was added (so the following problem arose >>> with 9.2). >>> >>> Unfortunately, in my case, I must be able to delete these routes; >>> not in >>> the default FIB, but in jail's fibs, because: >>> · Host is multihomed with multiple nics in different subnets. >>> · Jail's IP (no vnet) is from a different subnet than host's >>> default-router subnet – jail has no ip in the range of host's >>> default-router!!! >>> · FIB used by jail contains valid default-router. >>> >>> Problem: >>> If iface-routes exist in jail's FIB, answer-packets take the >>> iface-shortcut, not trespassing the router (default gateway); hence >>> 3way-handshake never finishes and firewall terminates (half-opened) TCP >>> sessions. >>> >>> Workarround: >>> · Abuse packet filter doing some kind of route-to… >>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes >>> can >>> be deleted without any hack) >>> >>> Desired solution: >>> · Allow deletion of v4-iface-routes if FIB!=0. >>> >>> Unfortunately my C skills don't allow me to implement this myself :-( >>> I can't even follow the code, I guess that was originally considered, >>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>> way >>> and simply reverted r248895 instead of trying to understand >>> rtrequest1_fib(). I wish I had the time to learn… >>> >>> Thanks for any help, >>> >>> -Harry >>> >> Hi, >> >> As it was suggested before as immediate workaround you can set >> net.add_addr_allfibs=0 so that the interface routes are added only in >> the default FIB. > > yes, we made two behaviours. > Add interface routes to all active FIBS or only add them to the first > fib and let the user populate other fibs as needed. > It appears you want the second behaviour, so I suggest you use that > option and set up all your routes manually. > Ah, this explains a thing or two. So when allfibs=0 and an interface is bought up, it's added to the first FIB automatically (and cannot be removed). Is there a way to change which fib the interface route is bought up on? I tried to 'setfib x ifconfig ....' which didn't work. Failing that, is there a way to change the systems global FIB without having to run every service with setfib? Basically, the behavour I want is for interface routes to be bought up on NO fibs, and manually add them to the fibs I need it on. >> >> --Nikolay >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"