From owner-freebsd-net@FreeBSD.ORG  Mon Dec 29 06:29:13 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C50BA63D
 for <freebsd-net@freebsd.org>; Mon, 29 Dec 2014 06:29:13 +0000 (UTC)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8D62CBD2
 for <freebsd-net@freebsd.org>; Mon, 29 Dec 2014 06:29:13 +0000 (UTC)
Received: from jre-mbp.elischer.org
 (ppp121-45-239-243.lns20.per1.internode.on.net [121.45.239.243])
 (authenticated bits=0)
 by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id sBT6T02s065074
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Sun, 28 Dec 2014 22:29:04 -0800 (PST)
 (envelope-from julian@freebsd.org)
Message-ID: <54A0F4A7.5020502@freebsd.org>
Date: Mon, 29 Dec 2014 14:28:55 +0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Jason Healy <jhealy@logn.net>, freebsd-net@freebsd.org
Subject: Re: IPv6 routes leaking between FIBs?
References: <C2295EFD-C052-438B-8524-974C17E1FBB6@logn.net>
In-Reply-To: <C2295EFD-C052-438B-8524-974C17E1FBB6@logn.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 06:29:14 -0000

On 12/28/14 11:19 AM, Jason Healy wrote:
> Hello,
>
> Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF.  I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces.
to some extent this is what it was written for.. teh fib code was 
written for Ironport/Cisco for separating the management port from the 
data ports onn their appliances, however the VNET code that came later 
is an even cleaner way of doing it and FIBs were only used by Ironport 
because VNET was not yet available.    Have you tried vnet jails for 
interface isolation?

> I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6.  I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces:
>
> # sysctl net.add_addr_allfibs=0
> # ifconfig em1 inet 192.0.2.1/24 fib 1
> # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1
> # ifconfig em2 inet 203.0.113.1/24 fib 2
> # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2
>
> If I then check the routing tables for each FIB, here’s what I get:
>
> # setfib -F 1 netstat -rn
>
> Routing tables (fib: 1)
>
> Internet:
> Destination        Gateway            Flags      Netif Expire
> 192.0.2.0/24       link#2             U           em1
> 192.0.2.1          link#2             UHS         lo0
>
> Internet6:
> Destination                       Gateway                       Flags      Netif Expire
> 2001:db8:cafe:babe::/64           link#3                        U           em2
> 2001:db8:dead:beef::/64           link#2                        U           em1
> 2001:db8:dead:beef::1             link#2                        UHS         lo0
> fe80::%em1/64                     link#2                        U           em1
> fe80::a00:27ff:fef6:162a%em1      link#2                        UHS         lo0
> fe80::%em2/64                     link#3                        U           em2
> fe80::%lo0/64                     link#5                        U           lo0
>
>
> # setfib -F 2 netstat -rn
>
> Routing tables (fib: 2)
>
> Internet:
> Destination        Gateway            Flags      Netif Expire
> 203.0.113.0/24     link#3             U           em2
> 203.0.113.1        link#3             UHS         lo0
>
> Internet6:
> Destination                       Gateway                       Flags      Netif Expire
> 2001:db8:cafe:babe::/64           link#3                        U           em2
> 2001:db8:cafe:babe::1             link#3                        UHS         lo0
> 2001:db8:dead:beef::/64           link#2                        U           em1
> fe80::%em1/64                     link#2                        U           em1
> fe80::%em2/64                     link#3                        U           em2
> fe80::a00:27ff:fe62:d267%em2      link#3                        UHS         lo0
> fe80::%lo0/64                     link#5                        U           lo0
>
>
> Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2).  However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff).
>
> According to:
>
>    https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements
>
> IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes.
>
> Thanks in advance for any help or clarification!
>
> Jason
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
>