Hello, here, http://svnweb.freebsd.org/base?view=revision&revision=248895 interface route protection was added (so the following problem arose with 9.2).
Unfortunately, in my case, I must be able to delete these routes; not in the default FIB, but in jail's fibs, because: · Host is multihomed with multiple nics in different subnets. · Jail's IP (no vnet) is from a different subnet than host's default-router subnet – jail has no ip in the range of host's default-router!!! · FIB used by jail contains valid default-router. Problem: If iface-routes exist in jail's FIB, answer-packets take the iface-shortcut, not trespassing the router (default gateway); hence 3way-handshake never finishes and firewall terminates (half-opened) TCP sessions. Workarround: · Abuse packet filter doing some kind of route-to… · Revert r248895, to be able to delete v4-iface-routes (inet6-routes can be deleted without any hack) Desired solution: · Allow deletion of v4-iface-routes if FIB!=0. Unfortunately my C skills don't allow me to implement this myself :-( I can't even follow the code, I guess that was originally considered, but possibly doesn't work bacause of a simple bug?!? I took the lazy way and simply reverted r248895 instead of trying to understand rtrequest1_fib(). I wish I had the time to learn… Thanks for any help, -Harry
signature.asc
Description: OpenPGP digital signature
