Date: Thu, 24 Apr 2014 09:56:01 +1200 From: Chris Smith <chris@nevermind.co.nz> To: freebsd-net@freebsd.org Subject: Re: Deleting IPv4 iface-routes from extra FIBs Message-ID: <535836F1.5070508@nevermind.co.nz> In-Reply-To: <535771F3.4070007@freebsd.org> References: <53569ABA.60007@omnilan.de> <CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA@mail.gmail.com> <535771F3.4070007@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23/04/14 19:55, Julian Elischer wrote: > On 4/23/14, 4:38 AM, Nikolay Denev wrote: >> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >> <h.schmalzbauer@omnilan.de> wrote: >>> Hello, >>> >>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >>> interface route protection was added (so the following problem arose >>> with 9.2). >>> >>> Unfortunately, in my case, I must be able to delete these routes; >>> not in >>> the default FIB, but in jail's fibs, because: >>> · Host is multihomed with multiple nics in different subnets. >>> · Jail's IP (no vnet) is from a different subnet than host's >>> default-router subnet – jail has no ip in the range of host's >>> default-router!!! >>> · FIB used by jail contains valid default-router. >>> >>> Problem: >>> If iface-routes exist in jail's FIB, answer-packets take the >>> iface-shortcut, not trespassing the router (default gateway); hence >>> 3way-handshake never finishes and firewall terminates (half-opened) TCP >>> sessions. >>> >>> Workarround: >>> · Abuse packet filter doing some kind of route-to… >>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes >>> can >>> be deleted without any hack) >>> >>> Desired solution: >>> · Allow deletion of v4-iface-routes if FIB!=0. >>> >>> Unfortunately my C skills don't allow me to implement this myself :-( >>> I can't even follow the code, I guess that was originally considered, >>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>> way >>> and simply reverted r248895 instead of trying to understand >>> rtrequest1_fib(). I wish I had the time to learn… >>> >>> Thanks for any help, >>> >>> -Harry >>> >> Hi, >> >> As it was suggested before as immediate workaround you can set >> net.add_addr_allfibs=0 so that the interface routes are added only in >> the default FIB. > > yes, we made two behaviours. > Add interface routes to all active FIBS or only add them to the first > fib and let the user populate other fibs as needed. > It appears you want the second behaviour, so I suggest you use that > option and set up all your routes manually. > Ah, this explains a thing or two. So when allfibs=0 and an interface is bought up, it's added to the first FIB automatically (and cannot be removed). Is there a way to change which fib the interface route is bought up on? I tried to 'setfib x ifconfig ....' which didn't work. Failing that, is there a way to change the systems global FIB without having to run every service with setfib? Basically, the behavour I want is for interface routes to be bought up on NO fibs, and manually add them to the fibs I need it on. >> >> --Nikolay >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?535836F1.5070508>