Date: Thu, 24 Apr 2014 12:44:00 -0600 From: Alan Somers <asomers@freebsd.org> To: "Alexander V. Chernikov" <melifaro@freebsd.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Chris Smith <chris@nevermind.co.nz> Subject: Re: Deleting IPv4 iface-routes from extra FIBs Message-ID: <CAOtMX2jcHgn5TgGrwkDGf2g-_e-tmNVWgnPP4zhyW6uG3o3kCQ@mail.gmail.com> In-Reply-To: <5358AE0A.6000707@FreeBSD.org> References: <53569ABA.60007@omnilan.de> <CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA@mail.gmail.com> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz> <5358AE0A.6000707@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 24, 2014 at 12:24 AM, Alexander V. Chernikov <melifaro@freebsd.org> wrote: > On 24.04.2014 01:56, Chris Smith wrote: >> On 23/04/14 19:55, Julian Elischer wrote: >>> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>>> <h.schmalzbauer@omnilan.de> wrote: >>>>> Hello, >>>>> >>>>> here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D24889= 5 >>>>> interface route protection was added (so the following problem arose >>>>> with 9.2). >>>>> >>>>> Unfortunately, in my case, I must be able to delete these routes; >>>>> not in >>>>> the default FIB, but in jail's fibs, because: >>>>> =C2=B7 Host is multihomed with multiple nics in different subnets. >>>>> =C2=B7 Jail's IP (no vnet) is from a different subnet than host's >>>>> default-router subnet =E2=80=93 jail has no ip in the range of host's >>>>> default-router!!! >>>>> =C2=B7 FIB used by jail contains valid default-router. >>>>> >>>>> Problem: >>>>> If iface-routes exist in jail's FIB, answer-packets take the >>>>> iface-shortcut, not trespassing the router (default gateway); hence >>>>> 3way-handshake never finishes and firewall terminates (half-opened) T= CP >>>>> sessions. >>>>> >>>>> Workarround: >>>>> =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 >>>>> =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-ro= utes >>>>> can >>>>> be deleted without any hack) >>>>> >>>>> Desired solution: >>>>> =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. >>>>> >>>>> Unfortunately my C skills don't allow me to implement this myself :-( >>>>> I can't even follow the code, I guess that was originally considered, >>>>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>>>> way >>>>> and simply reverted r248895 instead of trying to understand >>>>> rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>>> >>>> Hi, >>>> >>>> As it was suggested before as immediate workaround you can set >>>> net.add_addr_allfibs=3D0 so that the interface routes are added only i= n >>>> the default FIB. >>> >>> yes, we made two behaviours. >>> Add interface routes to all active FIBS or only add them to the first >>> fib and let the user populate other fibs as needed. >>> It appears you want the second behaviour, so I suggest you use that >>> option and set up all your routes manually. >>> >> Ah, this explains a thing or two. > > There is an ongoing work to > 1) make fibs/allfibs=3D0 to work better > 2) Move forward to make allfibs=3D0 as default value. >> >> So when allfibs=3D0 and an interface is bought up, it's added to the fir= st >> FIB automatically (and cannot be removed). >> >> Is there a way to change which fib the interface route is bought up on? >> I tried to 'setfib x ifconfig ....' which didn't work. > This will be fixed in near future. Fixed in CURRENT by change 264887. >> >> Failing that, is there a way to change the systems global FIB without >> having to run every service with setfib? Basically, the behavour I want >> is for interface routes to be bought up on NO fibs, and manually add >> them to the fibs I need it on. > If ifconfig_ifaceX=3D"fib X inet 1.2.3.4/30" works as expected (changes > interface fib to chosen one and announce interface route and host route > in this particular fib) - does this sound OK to you? >> >>>> >>>> --Nikolay >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> >>>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2jcHgn5TgGrwkDGf2g-_e-tmNVWgnPP4zhyW6uG3o3kCQ>