From owner-freebsd-net@FreeBSD.ORG Thu Apr 24 23:50:14 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F112B68E for ; Thu, 24 Apr 2014 23:50:14 +0000 (UTC) Received: from smtp.webfaction.com (mail6.webfaction.com [74.55.86.74]) by mx1.freebsd.org (Postfix) with ESMTP id C5DFF1049 for ; Thu, 24 Apr 2014 23:50:14 +0000 (UTC) Received: from [172.20.10.6] (153.71.224.49.dyn.cust.vf.net.nz [49.224.71.153]) by smtp.webfaction.com (Postfix) with ESMTP id 24BCB20BF766 for ; Thu, 24 Apr 2014 23:50:12 +0000 (UTC) Message-ID: <5359A32D.5060701@nevermind.co.nz> Date: Fri, 25 Apr 2014 11:50:05 +1200 From: Chris Smith User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Deleting IPv4 iface-routes from extra FIBs References: <53569ABA.60007@omnilan.de> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz> <5358AE0A.6000707@FreeBSD.org> <5359977C.8000308@nevermind.co.nz> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:50:15 -0000 On 25/04/14 11:15, Alan Somers wrote: > On Thu, Apr 24, 2014 at 5:00 PM, Chris Smith wrote: >> On 24/04/14 18:24, Alexander V. Chernikov wrote: >>> On 24.04.2014 01:56, Chris Smith wrote: >>>> On 23/04/14 19:55, Julian Elischer wrote: >>>>> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>>>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>>>>> wrote: >>>>>>> Hello, >>>>>>> >>>>>>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >>>>>>> interface route protection was added (so the following problem arose >>>>>>> with 9.2). >>>>>>> >>>>>>> Unfortunately, in my case, I must be able to delete these routes; >>>>>>> not in >>>>>>> the default FIB, but in jail's fibs, because: >>>>>>> · Host is multihomed with multiple nics in different subnets. >>>>>>> · Jail's IP (no vnet) is from a different subnet than host's >>>>>>> default-router subnet – jail has no ip in the range of host's >>>>>>> default-router!!! >>>>>>> · FIB used by jail contains valid default-router. >>>>>>> >>>>>>> Problem: >>>>>>> If iface-routes exist in jail's FIB, answer-packets take the >>>>>>> iface-shortcut, not trespassing the router (default gateway); hence >>>>>>> 3way-handshake never finishes and firewall terminates (half-opened) >>>>>>> TCP >>>>>>> sessions. >>>>>>> >>>>>>> Workarround: >>>>>>> · Abuse packet filter doing some kind of route-to… >>>>>>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes >>>>>>> can >>>>>>> be deleted without any hack) >>>>>>> >>>>>>> Desired solution: >>>>>>> · Allow deletion of v4-iface-routes if FIB!=0. >>>>>>> >>>>>>> Unfortunately my C skills don't allow me to implement this myself :-( >>>>>>> I can't even follow the code, I guess that was originally considered, >>>>>>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>>>>>> way >>>>>>> and simply reverted r248895 instead of trying to understand >>>>>>> rtrequest1_fib(). I wish I had the time to learn… >>>>>>> >>>>>>> Thanks for any help, >>>>>>> >>>>>>> -Harry >>>>>>> >>>>>> Hi, >>>>>> >>>>>> As it was suggested before as immediate workaround you can set >>>>>> net.add_addr_allfibs=0 so that the interface routes are added only in >>>>>> the default FIB. >>>>> yes, we made two behaviours. >>>>> Add interface routes to all active FIBS or only add them to the first >>>>> fib and let the user populate other fibs as needed. >>>>> It appears you want the second behaviour, so I suggest you use that >>>>> option and set up all your routes manually. >>>>> >>>> Ah, this explains a thing or two. >>> There is an ongoing work to >>> 1) make fibs/allfibs=0 to work better >>> 2) Move forward to make allfibs=0 as default value. >>>> So when allfibs=0 and an interface is bought up, it's added to the first >>>> FIB automatically (and cannot be removed). >>>> >>>> Is there a way to change which fib the interface route is bought up on? >>>> I tried to 'setfib x ifconfig ....' which didn't work. >>> This will be fixed in near future. >>>> Failing that, is there a way to change the systems global FIB without >>>> having to run every service with setfib? Basically, the behavour I want >>>> is for interface routes to be bought up on NO fibs, and manually add >>>> them to the fibs I need it on. >>> If ifconfig_ifaceX="fib X inet 1.2.3.4/30" works as expected (changes >>> interface fib to chosen one and announce interface route and host route >>> in this particular fib) - does this sound OK to you? >> Yes this sounds good. >> >> If I'm not mistaken the interface FIB only makes sense when the system is >> routing? Because the issue I have is that SYN ACKs from services are being >> routed via the wrong interfaces and interface FIBs do not appear to affect >> that. > The interface FIB is used when forwarding packets and when creating > the initial subnet and host routes when you assign an interface > address. It's not used for outbound traffic (except in that it > determines where the host and subnet routes get created). There are > several other FIB bugs that I'm actively working on. kern/187553 > might be related to your problem; it would be great if you could make > a test case. The connections I've been testing with are TCP (SSH and Netcat) However, this: ifconfig bge0 fib 1 10.0.0.1/24 Adds the interface route to FIB 0 and nothing to FIB 1. FreeBSD 10 RELEASE amd64 >> Allowing interface routes on different FIBs will fix that I think. Or being >> able to remove interface routes from a FIB. >> >> In the mean time, I will probably use FIBs (as opposed to vnet) for my >> jails, but find a way to run the hosts SSHd with a specific FIB. Any easy >> way to do that? Or to specify a system "default FIB" other than 0? > In FreeBSD 10 you can put "sshd_fib=1" in /etc/rc.conf to change that > process's fib. That will affect the routing of sshd's outbound > packets. If you also want to limit which interfaces sshd listens on, > you can do that with pf or by setting the ListenAddress in > sshd_config. > > -Alan > >>>>>> --Nikolay >>>>>> _______________________________________________ >>>>>> freebsd-net@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> freebsd-net@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"