Date: Thu, 24 Apr 2014 14:35:32 +0800 From: Julian Elischer <julian@freebsd.org> To: Chris Smith <chris@nevermind.co.nz>, freebsd-net@freebsd.org Subject: Re: Deleting IPv4 iface-routes from extra FIBs Message-ID: <5358B0B4.4070805@freebsd.org> In-Reply-To: <535836F1.5070508@nevermind.co.nz> References: <53569ABA.60007@omnilan.de> <CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA@mail.gmail.com> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/24/14, 5:56 AM, Chris Smith wrote: > On 23/04/14 19:55, Julian Elischer wrote: >> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>> <h.schmalzbauer@omnilan.de> wrote: >>>> Hello, >>>> >>>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >>>> interface route protection was added (so the following problem arose >>>> with 9.2). >>>> >>>> Unfortunately, in my case, I must be able to delete these routes; >>>> not in >>>> the default FIB, but in jail's fibs, because: >>>> · Host is multihomed with multiple nics in different subnets. >>>> · Jail's IP (no vnet) is from a different subnet than host's >>>> default-router subnet – jail has no ip in the range of host's >>>> default-router!!! >>>> · FIB used by jail contains valid default-router. >>>> >>>> Problem: >>>> If iface-routes exist in jail's FIB, answer-packets take the >>>> iface-shortcut, not trespassing the router (default gateway); hence >>>> 3way-handshake never finishes and firewall terminates (half-opened) TCP >>>> sessions. >>>> >>>> Workarround: >>>> · Abuse packet filter doing some kind of route-to… >>>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes >>>> can >>>> be deleted without any hack) >>>> >>>> Desired solution: >>>> · Allow deletion of v4-iface-routes if FIB!=0. >>>> >>>> Unfortunately my C skills don't allow me to implement this myself :-( >>>> I can't even follow the code, I guess that was originally considered, >>>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>>> way >>>> and simply reverted r248895 instead of trying to understand >>>> rtrequest1_fib(). I wish I had the time to learn… >>>> >>>> Thanks for any help, >>>> >>>> -Harry >>>> >>> Hi, >>> >>> As it was suggested before as immediate workaround you can set >>> net.add_addr_allfibs=0 so that the interface routes are added only in >>> the default FIB. >> yes, we made two behaviours. >> Add interface routes to all active FIBS or only add them to the first >> fib and let the user populate other fibs as needed. >> It appears you want the second behaviour, so I suggest you use that >> option and set up all your routes manually. >> > Ah, this explains a thing or two. > > So when allfibs=0 and an interface is bought up, it's added to the first > FIB automatically (and cannot be removed). > > Is there a way to change which fib the interface route is bought up on? > I tried to 'setfib x ifconfig ....' which didn't work. > > Failing that, is there a way to change the systems global FIB without > having to run every service with setfib? Basically, the behavour I want > is for interface routes to be bought up on NO fibs, and manually add > them to the fibs I need it on. > > I wrote the multi-fib code to "scratch my own itch" but I tried to imagine what other people might want to use it for. However one can never predict that with complete success. Since then we have added interface fibs, but I think that still needs some work. Don't feel shy about making suggestions and putting forwards patches. Even an addition to the man pages to explain the current behaviour more fully would be a good addition.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5358B0B4.4070805>