From owner-freebsd-net@FreeBSD.ORG Wed Apr 23 07:55:59 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9AA06155; Wed, 23 Apr 2014 07:55:59 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 51EC21D90; Wed, 23 Apr 2014 07:55:59 +0000 (UTC) Received: from Julian-MBP3.local (gw2.metromesh.com.au [110.5.117.243]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s3N7taBW046816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 23 Apr 2014 00:55:39 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <535771F3.4070007@freebsd.org> Date: Wed, 23 Apr 2014 15:55:31 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Nikolay Denev , Harald Schmalzbauer Subject: Re: Deleting IPv4 iface-routes from extra FIBs References: <53569ABA.60007@omnilan.de> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "freebsd-net@freebsd.org" , FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 07:55:59 -0000 On 4/23/14, 4:38 AM, Nikolay Denev wrote: > On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer > wrote: >> Hello, >> >> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >> interface route protection was added (so the following problem arose >> with 9.2). >> >> Unfortunately, in my case, I must be able to delete these routes; not in >> the default FIB, but in jail's fibs, because: >> · Host is multihomed with multiple nics in different subnets. >> · Jail's IP (no vnet) is from a different subnet than host's >> default-router subnet – jail has no ip in the range of host's >> default-router!!! >> · FIB used by jail contains valid default-router. >> >> Problem: >> If iface-routes exist in jail's FIB, answer-packets take the >> iface-shortcut, not trespassing the router (default gateway); hence >> 3way-handshake never finishes and firewall terminates (half-opened) TCP >> sessions. >> >> Workarround: >> · Abuse packet filter doing some kind of route-to… >> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes can >> be deleted without any hack) >> >> Desired solution: >> · Allow deletion of v4-iface-routes if FIB!=0. >> >> Unfortunately my C skills don't allow me to implement this myself :-( >> I can't even follow the code, I guess that was originally considered, >> but possibly doesn't work bacause of a simple bug?!? I took the lazy way >> and simply reverted r248895 instead of trying to understand >> rtrequest1_fib(). I wish I had the time to learn… >> >> Thanks for any help, >> >> -Harry >> > Hi, > > As it was suggested before as immediate workaround you can set > net.add_addr_allfibs=0 so that the interface routes are added only in > the default FIB. yes, we made two behaviours. Add interface routes to all active FIBS or only add them to the first fib and let the user populate other fibs as needed. It appears you want the second behaviour, so I suggest you use that option and set up all your routes manually. > > --Nikolay > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >