From owner-freebsd-stable@FreeBSD.ORG Tue Apr 22 16:37:30 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9AB1EAEF; Tue, 22 Apr 2014 16:37:30 +0000 (UTC) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0AAF41CE2; Tue, 22 Apr 2014 16:37:29 +0000 (UTC) Received: from mh0.gentlemail.de (mh0.gentlemail.de [78.138.80.135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id s3MGbLER071748; Tue, 22 Apr 2014 18:37:26 +0200 (CEST) (envelope-from h.schmalzbauer@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 069C53507; Tue, 22 Apr 2014 18:37:20 +0200 (CEST) Message-ID: <53569ABA.60007@omnilan.de> Date: Tue, 22 Apr 2014 18:37:14 +0200 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Deleting IPv4 iface-routes from extra FIBs X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig12E99B1A277853E263555BCD" X-Greylist: ACL 119 matched, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [78.138.80.130]); Tue, 22 Apr 2014 18:37:26 +0200 (CEST) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: 78.138.80.135; Sender-helo: mh0.gentlemail.de; ) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2014 16:37:30 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig12E99B1A277853E263555BCD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello, here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D248895 interface route protection was added (so the following problem arose with 9.2). Unfortunately, in my case, I must be able to delete these routes; not in the default FIB, but in jail's fibs, because: =C2=B7 Host is multihomed with multiple nics in different subnets. =C2=B7 Jail's IP (no vnet) is from a different subnet than host's default-router subnet =E2=80=93 jail has no ip in the range of host's default-router!!! =C2=B7 FIB used by jail contains valid default-router. Problem: If iface-routes exist in jail's FIB, answer-packets take the iface-shortcut, not trespassing the router (default gateway); hence 3way-handshake never finishes and firewall terminates (half-opened) TCP sessions. Workarround: =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-routes= can be deleted without any hack) Desired solution: =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. Unfortunately my C skills don't allow me to implement this myself :-( I can't even follow the code, I guess that was originally considered, but possibly doesn't work bacause of a simple bug?!? I took the lazy way and simply reverted r248895 instead of trying to understand rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 Thanks for any help, -Harry --------------enig12E99B1A277853E263555BCD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlNWmsAACgkQLDqVQ9VXb8gAKACgowI4hoEKxrcWp0DrnUv+dXQS Nx4AoLJV8GyX4g0xPA5MIv1v1qOTaCOJ =CDJ2 -----END PGP SIGNATURE----- --------------enig12E99B1A277853E263555BCD--