Bjoern A. Zeeb wrote:
On Fri, 28 Nov 2008, Frank Behrens wrote:
Hi,
Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote on 27 Nov 2008
16:47:
Now I want to tunnel between my 192.168.90.0/24 and a foreign
192.168.200.0/24. So I assigned 192.168.90.254/32 to lo2 and created
a static route.
So if you don't mind to go out with a source address of 192.168.90.1
instead of .254, what about this hack. What happens if you change the
route to
route change -net 192.168.200.0/24 192.168.90.2
(assuming the .2 is not on your local machine).
That works for the router, but for incoming packets on the internal
interface (from -net 192.168.90.0/24) the machine will send an ICMP
redirect to new router 192.168.90.2. Of course that is a black hole.
When I use the route to own interface address
(route change -net 192.168.200.0/24 192.168.90.1) it works, but also
for every incoming packet an ICMP redirect is sent. So that solution
is a workaround for short time only.
You can disable icmp redircts entirely but not sure if soemthing else
would stop working in your network topology then.
sysctl net.inet.ip.redirect
Does anybody have a better solution for source address selection? Am
I the only one with an IPSEC tunnel?
The best solution actually is to teach your application to bind for
this connection I guess instead of relying on any hack.
When it comes to the source address selection I am tempted to answer
with: I am willing to still allow this in 7 to not break production
setups but I am inclined to not change HEAD and keep the behavior
dropped there. See patch below, which basically is what you had with
the version check and the if (ia == NULL) check to not blindly overwrite
if we had found anything closer (untested).
Currently trying to discuss this with people.
can you assign a second FIB to handle this case?
------------------------------------------------------------------------
Index: sys/netinet/in_pcb.c
===================================================================
--- sys/netinet/in_pcb.c (revision 185571)
+++ sys/netinet/in_pcb.c (working copy)
@@ -696,6 +696,10 @@
ia = ifatoia(ifa_ifwithnet(sintosa(&sain)));
if (cred == NULL || !jailed(cred)) {
+#if __FreeBSD_version < 800000
+ if (ia == NULL)
+ ia = (struct in_ifaddr *)sro.ro_rt->rt_ifa;
+#endif
if (ia == NULL) {
error = ENETUNREACH;
goto done;
------------------------------------------------------------------------
/bz
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"