From nobody Fri Apr 26 15:58:53 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VQy846D0Cz5HSmC for ; Fri, 26 Apr 2024 15:59:00 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail2.karels.net (mail2.karels.net [3.19.118.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "freebsd", Issuer "freebsd" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VQy844P2lz4ktv; Fri, 26 Apr 2024 15:59:00 +0000 (UTC) (envelope-from mike@karels.net) Authentication-Results: mx1.freebsd.org; none Received: from mail2.karels.net (localhost [IPv6:0:0:0:0:0:0:0:1]) by mail2.karels.net (8.18.1/8.18.1) with ESMTP id 43QFwsgn083102; Fri, 26 Apr 2024 10:58:54 -0500 (CDT) (envelope-from mike@karels.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karels.net; s=mail2; t=1714147134; bh=OZhQdQEo2tkkbDFG6HoXHNxVd8dvlkhTHkxatT8wrQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Oh31vhickJuNihl/Ymy+yrei+EbiEVrDK6tDSwFli2l9bVJgFhS4RwNSDHOWFuzkx gvmqNF/XMz+9GHfm0EeZSryjWfJ6OupppYcoaGXsI4yI3ZC2uhV2C6LJTOvK928c70 a6AnHXXmnwWtc9Gxlz+Asv/Oo26JY0nPU9E9MkJeDd4CEkSSWDhni/EyX1zErWzSeH mttGh3wSKzyDDj/8viyeeNT9FY5KnQycXF5rEfI87uWYFvfNRXOVoGsyiHyH/WcXEG z2zFJuZaIKF4GTblLT6kqbdXjYDnqTh/6xwiWyUcPbatpAP5LOBK18C7k8FtimLYnM M1+Nz64cV4ksg== Received: from [10.0.2.130] ([73.62.165.147]) by mail2.karels.net with ESMTPSA id ryiNFD7PK2acRAEAs/W3XQ (envelope-from ); Fri, 26 Apr 2024 10:58:54 -0500 From: Mike Karels To: Gregory Shapiro Cc: freebsd-net@freebsd.org Subject: Re: Source IPv4 address selection vs BGP IX connection Date: Fri, 26 Apr 2024 10:58:53 -0500 X-Mailer: MailMate (1.14r6028) Message-ID: In-Reply-To: References: <202404241742.43OHghWB055177@gndrsh.dnsmgr.net> <3exr7zmcxnfxuofbyf57gdbzxxrgntprydeesbjsparq3xgeri@p4irynwruq7f> <9d8cbd3e-6531-5c2b-ce02-0ff056cc946b@redbarn.org> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.16.0.0/14, country:US] X-Rspamd-Queue-Id: 4VQy844P2lz4ktv On 25 Apr 2024, at 15:56, Gregory Shapiro wrote: >> of course, gethostid(3) is now deprecated in favour of sysctl(3), and = the >> hostid(8) command is gone, and there's now more than one flavour of >> Internet-capable UNIX in the world, and there's more than one Internet= >> address family now. so what i did in 1990 is a guide only inasmuch as = some >> way should exist to change the default local address of a socket so th= at it >> isn't the address of the interface used for the destination. if that h= appens >> i hope we coordinate with Linux and with the other BSD's. > > Linux already has a model to give a hint for source address selection v= ia > route table "hints". When adding routes (either manually via `ip route= ' > or via things like bird2 BGP daemon), Linux supports setting a source I= P > for when that route is used. > > Interestingly, JunOS (which I believe is based on FreeBSD) also support= s > a way to specify a default IPv4 source address, preferring the primary = address > on lo0 that is not 127.0.0.1. It is a common practice for BGP systems = to > attach their announced IPs to the loopback interface. > > https://www.juniper.net/documentation/us/en/software/junos/cli-referenc= e/topics/ref/statement/default-address-selection-edit-system.html > > For the Linux and bird (BGP) documentation: > > Linux > ----- > http://linux-ip.net/html/tools-ip-route.html#ex-tools-ip-route-add-src > > "The src option provides a hint to the kernel for source address select= ion. When you are working with multiple routing tables and different clas= ses of traffic, you can ease your administrative burden, by hosting sever= al different IPs on your linux machine and setting the source address dif= ferently, depending on the type of traffic. > > In the example below, let's assume that our masquerading host also runs= a DNS resolver for the internal network and we have selected all of the = outbound DNS packets to be routed according to table 7 [53]. Now, any pac= ket which originates on this box (or is masqueraded through this table) w= ill have its source IP set to 205.254.211.198. > > Example D.19. Using src in a routing command with route add > > [root@masq-gw]# ip route add default via 205.254.211.254 src 205.254.21= 1.198 table 7 > " > > man ip-route > > "src ADDRESS > the source address to prefer when sending to the > destinations covered by the route prefix." When you first asked this question, my first thought was that this should= be in the routing table. It seems to me that choosing the source address= is more a function of the destination than of the process (vnet, jail, etc). In fact, this problem seemed familiar, so I went looking. It turn= s out that this feature has been available since 4.4BSD. route(8) has a keyword to do just this, -ifa (interface address). It onl= y seems to work when the alias is on the same interface. It also seems to be broken in -current and 14.0, but I got it to work with 13.3 and 12.4. While experimenting, I tried to use -ifp as well, but it seems to be igno= red; route add -ifp foobar ... does not fail. (12.4 got the interface wrong when the alias was on the loopback.) Anyone know why -ifa is ineffective in 14.0 and -current? It could be fallout from netlink. The documentation is weak at best; route(8) says only "the -ifp or -ifa modifiers may be used to determine the interface or interface address". "route get" does not display the ifa; I think it did at one time. I'll also note that binding the desired source address manually works; ping -S uses this. Mike > > Bird (BGP Daemon) > ---- > "The Kernel protocol defines several attributes. These attributes are t= ranslated to appropriate system (and OS-specific) route attributes. We su= pport these attributes: > .. > ip krt_prefsrc > (Linux) The preferred source address. Used in source address selection = for outgoing packets. Has to be one of the IP addresses of the router."