Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Apr 2014 21:38:14 +0100
From:      Nikolay Denev <nike_d@cytexbg.com>
To:        Harald Schmalzbauer <h.schmalzbauer@omnilan.de>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, FreeBSD <freebsd-stable@freebsd.org>
Subject:   Re: Deleting IPv4 iface-routes from extra FIBs
Message-ID:  <CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA@mail.gmail.com>
In-Reply-To: <53569ABA.60007@omnilan.de>
References:  <53569ABA.60007@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer
<h.schmalzbauer@omnilan.de> wrote:
> Hello,
>
> here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D248895
> interface route protection was added (so the following problem arose
> with 9.2).
>
> Unfortunately, in my case, I must be able to delete these routes; not in
> the default FIB, but in jail's fibs, because:
> =C2=B7 Host is multihomed with multiple nics in different subnets.
> =C2=B7 Jail's IP (no vnet) is from a different subnet than host's
> default-router subnet =E2=80=93 jail has no ip in the range of host's
> default-router!!!
> =C2=B7 FIB used by jail contains valid default-router.
>
> Problem:
> If iface-routes exist in jail's FIB, answer-packets take the
> iface-shortcut, not trespassing the router (default gateway); hence
> 3way-handshake never finishes and firewall terminates (half-opened) TCP
> sessions.
>
> Workarround:
> =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6
> =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-routes=
 can
> be deleted without any hack)
>
> Desired solution:
> =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0.
>
> Unfortunately my C skills don't allow me to implement this myself :-(
> I can't even follow the code, I guess that was originally considered,
> but possibly doesn't work bacause of a simple bug?!? I took the lazy way
> and simply reverted r248895 instead of trying to understand
> rtrequest1_fib(). I wish I had the time to learn=E2=80=A6
>
> Thanks for any help,
>
> -Harry
>

Hi,

As it was suggested before as immediate workaround you can set
net.add_addr_allfibs=3D0 so that the interface routes are added only in
the default FIB.

--Nikolay

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BP_MZH_iScuJ4S=xiKocnEwTzT1eRJPNpJKbboZDfG3B=TBzA>