From owner-freebsd-stable@FreeBSD.ORG Tue Apr 22 20:38:15 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E343DA06; Tue, 22 Apr 2014 20:38:15 +0000 (UTC) Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8F163192B; Tue, 22 Apr 2014 20:38:15 +0000 (UTC) Received: by mail-vc0-f179.google.com with SMTP id ij19so13295vcb.10 for ; Tue, 22 Apr 2014 13:38:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=24if34ULF+eRazH1AbbP1pbCCKgQ6qRGJYWOVqgaKno=; b=yvvcXFvt0iAeQiWN0HmgrN9N+zeyHwPqYzn6RpWUlLsAiT6LFBevCV/itnQvZz5w0X mTcxNv8Rb76/iWN20v8bzqOuzFJ6kGKbFoqm0qwO5OEvI7FTdLpirnQU0yRdJlWoY5Ge bfpMuSx3Lk4gfk1Cj86yzA3WOk9sLx4kyjVIKW7p968aqTSRT+28CKzO7Lcm3b6G/+To yKFTsBx1PR9x5oQtCKL1ZUMxee3RzEs4AQODScAsdzm9TCFniSh4MdcrecIIMWk0R4X/ ZpxSNuEvR6Cae+TTfrZ1m1ag7GRcJr0RW93l/EbHdmafWAOC0/HO7Zfw36ZGMzpr8SdC iwIA== MIME-Version: 1.0 X-Received: by 10.58.1.97 with SMTP id 1mr10432392vel.23.1398199094683; Tue, 22 Apr 2014 13:38:14 -0700 (PDT) Sender: ndenev@gmail.com Received: by 10.220.78.84 with HTTP; Tue, 22 Apr 2014 13:38:14 -0700 (PDT) In-Reply-To: <53569ABA.60007@omnilan.de> References: <53569ABA.60007@omnilan.de> Date: Tue, 22 Apr 2014 21:38:14 +0100 X-Google-Sender-Auth: 6S3gJSAXtC-aZDlzz7X0OjXA-O8 Message-ID: Subject: Re: Deleting IPv4 iface-routes from extra FIBs From: Nikolay Denev To: Harald Schmalzbauer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-net@freebsd.org" , FreeBSD X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2014 20:38:16 -0000 On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer wrote: > Hello, > > here, http://svnweb.freebsd.org/base?view=3Drevision&revision=3D248895 > interface route protection was added (so the following problem arose > with 9.2). > > Unfortunately, in my case, I must be able to delete these routes; not in > the default FIB, but in jail's fibs, because: > =C2=B7 Host is multihomed with multiple nics in different subnets. > =C2=B7 Jail's IP (no vnet) is from a different subnet than host's > default-router subnet =E2=80=93 jail has no ip in the range of host's > default-router!!! > =C2=B7 FIB used by jail contains valid default-router. > > Problem: > If iface-routes exist in jail's FIB, answer-packets take the > iface-shortcut, not trespassing the router (default gateway); hence > 3way-handshake never finishes and firewall terminates (half-opened) TCP > sessions. > > Workarround: > =C2=B7 Abuse packet filter doing some kind of route-to=E2=80=A6 > =C2=B7 Revert r248895, to be able to delete v4-iface-routes (inet6-routes= can > be deleted without any hack) > > Desired solution: > =C2=B7 Allow deletion of v4-iface-routes if FIB!=3D0. > > Unfortunately my C skills don't allow me to implement this myself :-( > I can't even follow the code, I guess that was originally considered, > but possibly doesn't work bacause of a simple bug?!? I took the lazy way > and simply reverted r248895 instead of trying to understand > rtrequest1_fib(). I wish I had the time to learn=E2=80=A6 > > Thanks for any help, > > -Harry > Hi, As it was suggested before as immediate workaround you can set net.add_addr_allfibs=3D0 so that the interface routes are added only in the default FIB. --Nikolay