On 23/04/14 19:55, Julian Elischer wrote: > On 4/23/14, 4:38 AM, Nikolay Denev wrote: >> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer >> <h.schmalzba...@omnilan.de> wrote: >>> Hello, >>> >>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895 >>> interface route protection was added (so the following problem arose >>> with 9.2). >>> >>> Unfortunately, in my case, I must be able to delete these routes; >>> not in >>> the default FIB, but in jail's fibs, because: >>> · Host is multihomed with multiple nics in different subnets. >>> · Jail's IP (no vnet) is from a different subnet than host's >>> default-router subnet – jail has no ip in the range of host's >>> default-router!!! >>> · FIB used by jail contains valid default-router. >>> >>> Problem: >>> If iface-routes exist in jail's FIB, answer-packets take the >>> iface-shortcut, not trespassing the router (default gateway); hence >>> 3way-handshake never finishes and firewall terminates (half-opened) TCP >>> sessions. >>> >>> Workarround: >>> · Abuse packet filter doing some kind of route-to… >>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes >>> can >>> be deleted without any hack) >>> >>> Desired solution: >>> · Allow deletion of v4-iface-routes if FIB!=0. >>> >>> Unfortunately my C skills don't allow me to implement this myself :-( >>> I can't even follow the code, I guess that was originally considered, >>> but possibly doesn't work bacause of a simple bug?!? I took the lazy >>> way >>> and simply reverted r248895 instead of trying to understand >>> rtrequest1_fib(). I wish I had the time to learn… >>> >>> Thanks for any help, >>> >>> -Harry >>> >> Hi, >> >> As it was suggested before as immediate workaround you can set >> net.add_addr_allfibs=0 so that the interface routes are added only in >> the default FIB. > > yes, we made two behaviours. > Add interface routes to all active FIBS or only add them to the first > fib and let the user populate other fibs as needed. > It appears you want the second behaviour, so I suggest you use that > option and set up all your routes manually. > Ah, this explains a thing or two.
So when allfibs=0 and an interface is bought up, it's added to the first FIB automatically (and cannot be removed). Is there a way to change which fib the interface route is bought up on? I tried to 'setfib x ifconfig ....' which didn't work. Failing that, is there a way to change the systems global FIB without having to run every service with setfib? Basically, the behavour I want is for interface routes to be bought up on NO fibs, and manually add them to the fibs I need it on. >> >> --Nikolay >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
