Date: Thu, 24 Apr 2014 17:58:43 -0600 From: Alan Somers <asomers@freebsd.org> To: Chris Smith <chris@nevermind.co.nz> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Deleting IPv4 iface-routes from extra FIBs Message-ID: <CAOtMX2gtkX1wsYR6kRG4bTZoofODvOxPBHauhCXKW3Jre9BnGg@mail.gmail.com> In-Reply-To: <5359A32D.5060701@nevermind.co.nz> References: <53569ABA.60007@omnilan.de> <CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA@mail.gmail.com> <535771F3.4070007@freebsd.org> <535836F1.5070508@nevermind.co.nz> <5358AE0A.6000707@FreeBSD.org> <5359977C.8000308@nevermind.co.nz> <CAOtMX2jD9bfO=uEuZWntfPAkPhGspuMS-17514N-9FZw4gm3Tw@mail.gmail.com> <5359A32D.5060701@nevermind.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 24, 2014 at 5:50 PM, Chris Smith <chris@nevermind.co.nz> wrote: > On 25/04/14 11:15, Alan Somers wrote: >> >> On Thu, Apr 24, 2014 at 5:00 PM, Chris Smith <chris@nevermind.co.nz> >> wrote: >>> >>> On 24/04/14 18:24, Alexander V. Chernikov wrote: >>>> >>>> On 24.04.2014 01:56, Chris Smith wrote: >>>>> >>>>> On 23/04/14 19:55, Julian Elischer wrote: >>>>>> >>>>>> On 4/23/14, 4:38 AM, Nikolay Denev wrote: >>>>>>> >>>>>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >>>>>>> <h.schmalzbauer@omnilan.de> wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D24= 8895 >>>>>>>> interface route protection was added (so the following problem aro= se >>>>>>>> with 9.2). >>>>>>>> >>>>>>>> Unfortunately, in my case, I must be able to delete these routes; >>>>>>>> not in >>>>>>>> the default FIB, but in jail's fibs, because: >>>>>>>> =C2=B7 Host is multihomed with multiple nics in different subnets. >>>>>>>> =C2=B7 Jail's IP (no vnet) is from a different subnet than host's >>>>>>>> default-router subnet =E2=80=93 jail has no ip in the range of hos= t's >>>>>>>> default-router!!! >>>>>>>> =C2=B7 FIB used by jail contains valid default-router. >>>>>>>> >>>>>>>> Problem: >>>>>>>> If iface-routes exist in jail's FIB, answer-packets take the >>>>>>>> iface-shortcut, not trespassing the router (default gateway); henc= e >>>>>>>> 3way-handshake never finishes and firewall terminates (half-opened= ) >>>>>>>> TCP >>>>>>>> sessions. >>>>>>>> >>>>>>>> Workarround: >>>>>>>> =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 >>>>>>>> =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6= -routes >>>>>>>> can >>>>>>>> be deleted without any hack) >>>>>>>> >>>>>>>> Desired solution: >>>>>>>> =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. >>>>>>>> >>>>>>>> Unfortunately my C skills don't allow me to implement this myself >>>>>>>> :-( >>>>>>>> I can't even follow the code, I guess that was originally >>>>>>>> considered, >>>>>>>> but possibly doesn't work bacause of a simple bug?!? I took the la= zy >>>>>>>> way >>>>>>>> and simply reverted r248895 instead of trying to understand >>>>>>>> rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 >>>>>>>> >>>>>>>> Thanks for any help, >>>>>>>> >>>>>>>> -Harry >>>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> As it was suggested before as immediate workaround you can set >>>>>>> net.add_addr_allfibs=3D0 so that the interface routes are added onl= y in >>>>>>> the default FIB. >>>>>> >>>>>> yes, we made two behaviours. >>>>>> Add interface routes to all active FIBS or only add them to the firs= t >>>>>> fib and let the user populate other fibs as needed. >>>>>> It appears you want the second behaviour, so I suggest you use that >>>>>> option and set up all your routes manually. >>>>>> >>>>> Ah, this explains a thing or two. >>>> >>>> There is an ongoing work to >>>> 1) make fibs/allfibs=3D0 to work better >>>> 2) Move forward to make allfibs=3D0 as default value. >>>>> >>>>> So when allfibs=3D0 and an interface is bought up, it's added to the >>>>> first >>>>> FIB automatically (and cannot be removed). >>>>> >>>>> Is there a way to change which fib the interface route is bought up o= n? >>>>> I tried to 'setfib x ifconfig ....' which didn't work. >>>> >>>> This will be fixed in near future. >>>>> >>>>> Failing that, is there a way to change the systems global FIB without >>>>> having to run every service with setfib? Basically, the behavour I wa= nt >>>>> is for interface routes to be bought up on NO fibs, and manually add >>>>> them to the fibs I need it on. >>>> >>>> If ifconfig_ifaceX=3D"fib X inet 1.2.3.4/30" works as expected (change= s >>>> interface fib to chosen one and announce interface route and host rout= e >>>> in this particular fib) - does this sound OK to you? >>> >>> Yes this sounds good. >>> >>> If I'm not mistaken the interface FIB only makes sense when the system = is >>> routing? Because the issue I have is that SYN ACKs from services are >>> being >>> routed via the wrong interfaces and interface FIBs do not appear to >>> affect >>> that. >> >> The interface FIB is used when forwarding packets and when creating >> the initial subnet and host routes when you assign an interface >> address. It's not used for outbound traffic (except in that it >> determines where the host and subnet routes get created). There are >> several other FIB bugs that I'm actively working on. kern/187553 >> might be related to your problem; it would be great if you could make >> a test case. > > The connections I've been testing with are TCP (SSH and Netcat) > > However, this: > > ifconfig bge0 fib 1 10.0.0.1/24 > > Adds the interface route to FIB 0 and nothing to FIB 1. FreeBSD 10 RELEAS= E > amd64 That is exactly the bug I fixed earlier today with r264887. I'll MFC it to stable/10 in a few weeks. > > >>> Allowing interface routes on different FIBs will fix that I think. Or >>> being >>> able to remove interface routes from a FIB. >>> >>> In the mean time, I will probably use FIBs (as opposed to vnet) for my >>> jails, but find a way to run the hosts SSHd with a specific FIB. Any ea= sy >>> way to do that? Or to specify a system "default FIB" other than 0? >> >> In FreeBSD 10 you can put "sshd_fib=3D1" in /etc/rc.conf to change that >> process's fib. That will affect the routing of sshd's outbound >> packets. If you also want to limit which interfaces sshd listens on, >> you can do that with pf or by setting the ListenAddress in >> sshd_config. >> >> -Alan >> >>>>>>> --Nikolay >>>>>>> _______________________________________________ >>>>>>> freebsd-net@freebsd.org mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>>> To unsubscribe, send any mail to >>>>>>> "freebsd-net-unsubscribe@freebsd.org" >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> freebsd-net@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.or= g" >>>>> >>>>> _______________________________________________ >>>>> freebsd-net@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org= " >>>>> >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gtkX1wsYR6kRG4bTZoofODvOxPBHauhCXKW3Jre9BnGg>