On 13.10.2014 12:35, Harald Schmalzbauer wrote:
Bezüglich Julian Elischer's Nachricht vom 23.04.2014 09:55 (localtime):
On 4/23/14, 4:38 AM, Nikolay Denev wrote:
On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer
<h.schmalzba...@omnilan.de> wrote:
Hello,
here, http://svnweb.freebsd.org/base?view=revision&revision=248895
interface route protection was added (so the following problem arose
with 9.2).
Unfortunately, in my case, I must be able to delete these routes;
not in
the default FIB, but in jail's fibs, because:
· Host is multihomed with multiple nics in different subnets.
· Jail's IP (no vnet) is from a different subnet than host's
default-router subnet – jail has no ip in the range of host's
default-router!!!
· FIB used by jail contains valid default-router.
Problem:
If iface-routes exist in jail's FIB, answer-packets take the
iface-shortcut, not trespassing the router (default gateway); hence
3way-handshake never finishes and firewall terminates (half-opened) TCP
sessions.
Workarround:
· Abuse packet filter doing some kind of route-to…
· Revert r248895, to be able to delete v4-iface-routes (inet6-routes
can
be deleted without any hack)
Desired solution:
· Allow deletion of v4-iface-routes if FIB!=0.
Unfortunately my C skills don't allow me to implement this myself :-(
I can't even follow the code, I guess that was originally considered,
but possibly doesn't work bacause of a simple bug?!? I took the lazy
way
and simply reverted r248895 instead of trying to understand
rtrequest1_fib(). I wish I had the time to learn…
Thanks for any help,
-Harry
Hi,
As it was suggested before as immediate workaround you can set
net.add_addr_allfibs=0 so that the interface routes are added only in
the default FIB.
yes, we made two behaviours.
Add interface routes to all active FIBS or only add them to the first
fib and let the user populate other fibs as needed.
It appears you want the second behaviour, so I suggest you use that
option and set up all your routes manually.
Hello,
last time I had the iface-route problem, I just reverted r248895 (for
9.3). There was inconsitent behaviour with v6 iface routes and
net.add_addr_allfibs=0.
Now I checked with 10.1 ans it seems net.add_addr_allfibs=0 doesn't work
any more:
netstat -f inet -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.21.32.1 UGS egn
127.0.0.1 link#2 UH lo0
172.21.32.0/19 link#1 U egn
172.21.35.1 link#1 UHS lo0
netstat -F 1 -f inet -nr
Routing tables (fib: 1)
Internet:
Destination Gateway Flags Netif Expire
127.0.0.1 link#2 UH lo0
172.21.32.0/19 link#1 U egn
'sysctl net.add_addr_allfibs'
net.add_addr_allfibs: 0
Are you sure net.add_addr_allfibs was applied before interface address
added?
Can you check recent 10-STABLE code? It might have more fixes related to
allfibs.
Shouldn't the routing table for fib1 stay empty? Can't remember the
result when I testet that with 9.3 :-(
Yes, it should. We're slowly moving to this direction
Thanks,
-Harry
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
