From owner-freebsd-net@FreeBSD.ORG Thu Apr 24 23:58:45 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 40AA28FC for ; Thu, 24 Apr 2014 23:58:45 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C395910EF for ; Thu, 24 Apr 2014 23:58:44 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id b13so1752147wgh.35 for ; Thu, 24 Apr 2014 16:58:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=3+kl74txzVPSKzgVyllEfgZeQF4N7V6GJYwL75449g8=; b=OE4WPKB7CHFCc2lh4cWZKZrqIT2UCRp7n0ZNfoHcMezHQJTLd2jzSD3qWtDalLMxHI n4LoAUYQHA2lSYBjSrMotKtLUUhabyxAbThcPQlZFT89bx9gT8kkpeAcsjbiGvRjdnGn ZMBahgS0dRrbCHtW7aer8Ul5grJXfYzAdHauTlXUIm5d1hjK9djqVvyLNGcmoMKKK8nY 1SqYengEZtEGMiC3Y+h62nuEAEF60QEVBR4QeiivqfSyJ/RixC30RT3S4wCoQYp0JdA6 qtvizbmKXtf14Vzagg2+DX8rDS71D4Q22ZxEdECt8Uaj1226Q4fdS5N+zxXhzXnk5Lnp ddHg== MIME-Version: 1.0 X-Received: by 10.194.92.177 with SMTP id cn17mr4023037wjb.18.1398383923123; Thu, 24 Apr 2014 16:58:43 -0700 (PDT) Sender: asomers@gmail.com Received: by 10.194.168.130 with HTTP; Thu, 24 Apr 2014 16:58:43 -0700 (PDT) In-Reply-To: <5359A32D.5060701@nevermind.co.nz> References: <53569ABA.60007@omnilan.de> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz> <5358AE0A.6000707@FreeBSD.org> <5359977C.8000308@nevermind.co.nz> <5359A32D.5060701@nevermind.co.nz> Date: Thu, 24 Apr 2014 17:58:43 -0600 X-Google-Sender-Auth: -rBMKiKrnAf4IfcYUyCAE6G6mQQ Message-ID: Subject: Re: Deleting IPv4 iface-routes from extra FIBs From: Alan Somers To: Chris Smith Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:58:45 -0000 On Thu, Apr 24, 2014 at 5:50 PM, Chris Smith wrote: > On 25/04/14 11:15, Alan Somers wrote: >> >> On Thu, Apr 24, 2014 at 5:00 PM, Chris Smith >> wrote: >>> >>> On 24/04/14 18:24, Alexander V. Chernikov wrote: >>>> >>>> On 24.04.2014 01:56, Chris Smith wrote: >>>>> >>>>> On 23/04/14 19:55, Julian Elischer wrote: >>>>>> >>>>>> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>>>>>> >>>>>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>>>>>> wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D24= 8895 >>>>>>>> interface route protection was added (so the following problem aro= se >>>>>>>> with 9.2). >>>>>>>> >>>>>>>> Unfortunately, in my case, I must be able to delete these routes; >>>>>>>> not in >>>>>>>> the default FIB, but in jail's fibs, because: >>>>>>>> =C2=B7 Host is multihomed with multiple nics in different subnets. >>>>>>>> =C2=B7 Jail's IP (no vnet) is from a different subnet than host's >>>>>>>> default-router subnet =E2=80=93 jail has no ip in the range of hos= t's >>>>>>>> default-router!!! >>>>>>>> =C2=B7 FIB used by jail contains valid default-router. >>>>>>>> >>>>>>>> Problem: >>>>>>>> If iface-routes exist in jail's FIB, answer-packets take the >>>>>>>> iface-shortcut, not trespassing the router (default gateway); henc= e >>>>>>>> 3way-handshake never finishes and firewall terminates (half-opened= ) >>>>>>>> TCP >>>>>>>> sessions. >>>>>>>> >>>>>>>> Workarround: >>>>>>>> =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 >>>>>>>> =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6= -routes >>>>>>>> can >>>>>>>> be deleted without any hack) >>>>>>>> >>>>>>>> Desired solution: >>>>>>>> =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. >>>>>>>> >>>>>>>> Unfortunately my C skills don't allow me to implement this myself >>>>>>>> :-( >>>>>>>> I can't even follow the code, I guess that was originally >>>>>>>> considered, >>>>>>>> but possibly doesn't work bacause of a simple bug?!? I took the la= zy >>>>>>>> way >>>>>>>> and simply reverted r248895 instead of trying to understand >>>>>>>> rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 >>>>>>>> >>>>>>>> Thanks for any help, >>>>>>>> >>>>>>>> -Harry >>>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> As it was suggested before as immediate workaround you can set >>>>>>> net.add_addr_allfibs=3D0 so that the interface routes are added onl= y in >>>>>>> the default FIB. >>>>>> >>>>>> yes, we made two behaviours. >>>>>> Add interface routes to all active FIBS or only add them to the firs= t >>>>>> fib and let the user populate other fibs as needed. >>>>>> It appears you want the second behaviour, so I suggest you use that >>>>>> option and set up all your routes manually. >>>>>> >>>>> Ah, this explains a thing or two. >>>> >>>> There is an ongoing work to >>>> 1) make fibs/allfibs=3D0 to work better >>>> 2) Move forward to make allfibs=3D0 as default value. >>>>> >>>>> So when allfibs=3D0 and an interface is bought up, it's added to the >>>>> first >>>>> FIB automatically (and cannot be removed). >>>>> >>>>> Is there a way to change which fib the interface route is bought up o= n? >>>>> I tried to 'setfib x ifconfig ....' which didn't work. >>>> >>>> This will be fixed in near future. >>>>> >>>>> Failing that, is there a way to change the systems global FIB without >>>>> having to run every service with setfib? Basically, the behavour I wa= nt >>>>> is for interface routes to be bought up on NO fibs, and manually add >>>>> them to the fibs I need it on. >>>> >>>> If ifconfig_ifaceX=3D"fib X inet 1.2.3.4/30" works as expected (change= s >>>> interface fib to chosen one and announce interface route and host rout= e >>>> in this particular fib) - does this sound OK to you? >>> >>> Yes this sounds good. >>> >>> If I'm not mistaken the interface FIB only makes sense when the system = is >>> routing? Because the issue I have is that SYN ACKs from services are >>> being >>> routed via the wrong interfaces and interface FIBs do not appear to >>> affect >>> that. >> >> The interface FIB is used when forwarding packets and when creating >> the initial subnet and host routes when you assign an interface >> address. It's not used for outbound traffic (except in that it >> determines where the host and subnet routes get created). There are >> several other FIB bugs that I'm actively working on. kern/187553 >> might be related to your problem; it would be great if you could make >> a test case. > > The connections I've been testing with are TCP (SSH and Netcat) > > However, this: > > ifconfig bge0 fib 1 10.0.0.1/24 > > Adds the interface route to FIB 0 and nothing to FIB 1. FreeBSD 10 RELEAS= E > amd64 That is exactly the bug I fixed earlier today with r264887. I'll MFC it to stable/10 in a few weeks. > > >>> Allowing interface routes on different FIBs will fix that I think. Or >>> being >>> able to remove interface routes from a FIB. >>> >>> In the mean time, I will probably use FIBs (as opposed to vnet) for my >>> jails, but find a way to run the hosts SSHd with a specific FIB. Any ea= sy >>> way to do that? Or to specify a system "default FIB" other than 0? >> >> In FreeBSD 10 you can put "sshd_fib=3D1" in /etc/rc.conf to change that >> process's fib. That will affect the routing of sshd's outbound >> packets. If you also want to limit which interfaces sshd listens on, >> you can do that with pf or by setting the ListenAddress in >> sshd_config. >> >> -Alan >> >>>>>>> --Nikolay >>>>>>> _______________________________________________ >>>>>>> freebsd-net@freebsd.org mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>>> To unsubscribe, send any mail to >>>>>>> "freebsd-net-unsubscribe@freebsd.org" >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> freebsd-net@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.or= g" >>>>> >>>>> _______________________________________________ >>>>> freebsd-net@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org= " >>>>> >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"