Bjoern A. Zeeb wrote:
On Fri, 28 Nov 2008, Frank Behrens wrote:

Hi,

Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote on 27 Nov 2008 16:47:
Now I want to tunnel between my 192.168.90.0/24 and a foreign
192.168.200.0/24. So I assigned 192.168.90.254/32 to lo2 and created
a static route.

So if you don't mind to go out with a source address of 192.168.90.1
instead of .254, what about this hack. What happens if you change the
route to
     route change -net 192.168.200.0/24 192.168.90.2
(assuming the .2 is not on your local machine).

That works for the router, but for incoming packets on the internal
interface (from -net 192.168.90.0/24) the machine will send an ICMP
redirect to new router 192.168.90.2. Of course that is a black hole.
When I use the route to own interface address
(route change -net 192.168.200.0/24 192.168.90.1) it works, but also
for every incoming packet an ICMP redirect is sent. So that solution
is a workaround for short time only.

You can disable icmp redircts entirely but not sure if soemthing else
would stop working in your network topology then.

sysctl net.inet.ip.redirect


Does anybody have a better solution for source address selection? Am
I the only one with an IPSEC tunnel?

The best solution actually is to teach your application to bind for
this connection I guess instead of relying on any hack.


When it comes to the source address selection I am tempted to answer
with: I am willing to still allow this in 7 to not break production
setups but I am inclined to not change HEAD and keep the behavior
dropped there. See patch below, which basically is what you had with
the version check and the if (ia == NULL) check to not blindly overwrite
if we had found anything closer (untested).

Currently trying to discuss this with people.


can you assign a second FIB to handle this case?


------------------------------------------------------------------------
Index: sys/netinet/in_pcb.c
===================================================================
--- sys/netinet/in_pcb.c        (revision 185571)
+++ sys/netinet/in_pcb.c        (working copy)
@@ -696,6 +696,10 @@
                        ia = ifatoia(ifa_ifwithnet(sintosa(&sain)));

                if (cred == NULL || !jailed(cred)) {
+#if __FreeBSD_version < 800000
+                       if (ia == NULL)
+                               ia = (struct in_ifaddr *)sro.ro_rt->rt_ifa;
+#endif
                        if (ia == NULL) {
                                error = ENETUNREACH;
                                goto done;
------------------------------------------------------------------------


/bz


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to