From owner-freebsd-net@FreeBSD.ORG Thu Apr 24 18:44:02 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8ADC011B; Thu, 24 Apr 2014 18:44:02 +0000 (UTC) Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0D942000; Thu, 24 Apr 2014 18:44:01 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id t60so844016wes.8 for ; Thu, 24 Apr 2014 11:44:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=oTgT44UOJpHqUQDYc3VfR8ro/z/N94wO0u86+/3wnyM=; b=NEu0CUS/4jx6y4jdrw81Xc+XriV/2Ope16/jAvO+NjiZr+W0oKHZW6pTkd+D6rt2We AfYtDIaejoVcNGoG41ND/qI48O3qAvWe2mksETzYTnVABGEHrO6oSUB8t9YjCpRhEwgr lfEKNL6ZhQkP4GRm1jTdnjFfUcMqcaQbcylRpl4fhpCzv9ZwsunMdX33/zo/ZMkduwPx QONaTLc/7vbS2QtsL/vFXVHr7nKGtybklft02QofMKPIGjD/TW1ofkpRQqr3I62GAHZr 3ZoBAOMcvllnWASbB8y1sipbRj/U6+nHG/DIwKKWdZ4xpNPwouAHtSp/yh+FMIztkvMr YDdw== MIME-Version: 1.0 X-Received: by 10.180.212.107 with SMTP id nj11mr287992wic.40.1398365040229; Thu, 24 Apr 2014 11:44:00 -0700 (PDT) Sender: asomers@gmail.com Received: by 10.194.168.130 with HTTP; Thu, 24 Apr 2014 11:44:00 -0700 (PDT) In-Reply-To: <5358AE0A.6000707@FreeBSD.org> References: <53569ABA.60007@omnilan.de> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz> <5358AE0A.6000707@FreeBSD.org> Date: Thu, 24 Apr 2014 12:44:00 -0600 X-Google-Sender-Auth: iYQNn6LBg2b7-DDu0kwX3INasLw Message-ID: Subject: Re: Deleting IPv4 iface-routes from extra FIBs From: Alan Somers To: "Alexander V. Chernikov" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Net , Chris Smith X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 18:44:02 -0000 On Thu, Apr 24, 2014 at 12:24 AM, Alexander V. Chernikov wrote: > On 24.04.2014 01:56, Chris Smith wrote: >> On 23/04/14 19:55, Julian Elischer wrote: >>> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>>> wrote: >>>>> Hello, >>>>> >>>>> here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D24889= 5 >>>>> interface route protection was added (so the following problem arose >>>>> with 9.2). >>>>> >>>>> Unfortunately, in my case, I must be able to delete these routes; >>>>> not in >>>>> the default FIB, but in jail's fibs, because: >>>>> =C2=B7 Host is multihomed with multiple nics in different subnets. >>>>> =C2=B7 Jail's IP (no vnet) is from a different subnet than host's >>>>> default-router subnet =E2=80=93 jail has no ip in the range of host's >>>>> default-router!!! >>>>> =C2=B7 FIB used by jail contains valid default-router. >>>>> >>>>> Problem: >>>>> If iface-routes exist in jail's FIB, answer-packets take the >>>>> iface-shortcut, not trespassing the router (default gateway); hence >>>>> 3way-handshake never finishes and firewall terminates (half-opened) T= CP >>>>> sessions. >>>>> >>>>> Workarround: >>>>> =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 >>>>> =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-ro= utes >>>>> can >>>>> be deleted without any hack) >>>>> >>>>> Desired solution: >>>>> =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. >>>>> >>>>> Unfortunately my C skills don't allow me to implement this myself :-( >>>>> I can't even follow the code, I guess that was originally considered, >>>>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>>>> way >>>>> and simply reverted r248895 instead of trying to understand >>>>> rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>>> >>>> Hi, >>>> >>>> As it was suggested before as immediate workaround you can set >>>> net.add_addr_allfibs=3D0 so that the interface routes are added only i= n >>>> the default FIB. >>> >>> yes, we made two behaviours. >>> Add interface routes to all active FIBS or only add them to the first >>> fib and let the user populate other fibs as needed. >>> It appears you want the second behaviour, so I suggest you use that >>> option and set up all your routes manually. >>> >> Ah, this explains a thing or two. > > There is an ongoing work to > 1) make fibs/allfibs=3D0 to work better > 2) Move forward to make allfibs=3D0 as default value. >> >> So when allfibs=3D0 and an interface is bought up, it's added to the fir= st >> FIB automatically (and cannot be removed). >> >> Is there a way to change which fib the interface route is bought up on? >> I tried to 'setfib x ifconfig ....' which didn't work. > This will be fixed in near future. Fixed in CURRENT by change 264887. >> >> Failing that, is there a way to change the systems global FIB without >> having to run every service with setfib? Basically, the behavour I want >> is for interface routes to be bought up on NO fibs, and manually add >> them to the fibs I need it on. > If ifconfig_ifaceX=3D"fib X inet 1.2.3.4/30" works as expected (changes > interface fib to chosen one and announce interface route and host route > in this particular fib) - does this sound OK to you? >> >>>> >>>> --Nikolay >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> >>>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"