On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer <h.schmalzba...@omnilan.de> wrote: > Hello, > > here, http://svnweb.freebsd.org/base?view=revision&revision=248895 > interface route protection was added (so the following problem arose > with 9.2). > > Unfortunately, in my case, I must be able to delete these routes; not in > the default FIB, but in jail's fibs, because: > · Host is multihomed with multiple nics in different subnets. > · Jail's IP (no vnet) is from a different subnet than host's > default-router subnet – jail has no ip in the range of host's > default-router!!! > · FIB used by jail contains valid default-router. > > Problem: > If iface-routes exist in jail's FIB, answer-packets take the > iface-shortcut, not trespassing the router (default gateway); hence > 3way-handshake never finishes and firewall terminates (half-opened) TCP > sessions. > > Workarround: > · Abuse packet filter doing some kind of route-to… > · Revert r248895, to be able to delete v4-iface-routes (inet6-routes can > be deleted without any hack) > > Desired solution: > · Allow deletion of v4-iface-routes if FIB!=0. > > Unfortunately my C skills don't allow me to implement this myself :-( > I can't even follow the code, I guess that was originally considered, > but possibly doesn't work bacause of a simple bug?!? I took the lazy way > and simply reverted r248895 instead of trying to understand > rtrequest1_fib(). I wish I had the time to learn… > > Thanks for any help, > > -Harry >
Hi, As it was suggested before as immediate workaround you can set net.add_addr_allfibs=0 so that the interface routes are added only in the default FIB. --Nikolay _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
