Deleting IPv4 iface-routes from extra FIBs

Alan Somers asomers at freebsd.org
Thu Apr 24 23:15:16 UTC 2014 

On Thu, Apr 24, 2014 at 5:00 PM, Chris Smith <chris at nevermind.co.nz> wrote:
> On 24/04/14 18:24, Alexander V. Chernikov wrote:
>>
>> On 24.04.2014 01:56, Chris Smith wrote:
>>>
>>> On 23/04/14 19:55, Julian Elischer wrote:
>>>>
>>>> On 4/23/14, 4:38 AM, Nikolay Denev wrote:
>>>>>
>>>>> On Tue, Apr 22, 2014 at 5:37 PM, Harald Schmalzbauer
>>>>> <h.schmalzbauer at omnilan.de> wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> here, http://svnweb.freebsd.org/base?view=revision&revision=248895
>>>>>> interface route protection was added (so the following problem arose
>>>>>> with 9.2).
>>>>>>
>>>>>> Unfortunately, in my case, I must be able to delete these routes;
>>>>>> not in
>>>>>> the default FIB, but in jail's fibs, because:
>>>>>> · Host is multihomed with multiple nics in different subnets.
>>>>>> · Jail's IP (no vnet) is from a different subnet than host's
>>>>>> default-router subnet – jail has no ip in the range of host's
>>>>>> default-router!!!
>>>>>> · FIB used by jail contains valid default-router.
>>>>>>
>>>>>> Problem:
>>>>>> If iface-routes exist in jail's FIB, answer-packets take the
>>>>>> iface-shortcut, not trespassing the router (default gateway); hence
>>>>>> 3way-handshake never finishes and firewall terminates (half-opened)
>>>>>> TCP
>>>>>> sessions.
>>>>>>
>>>>>> Workarround:
>>>>>> · Abuse packet filter doing some kind of route-to…
>>>>>> · Revert r248895, to be able to delete v4-iface-routes (inet6-routes
>>>>>> can
>>>>>> be deleted without any hack)
>>>>>>
>>>>>> Desired solution:
>>>>>> · Allow deletion of v4-iface-routes if FIB!=0.
>>>>>>
>>>>>> Unfortunately my C skills don't allow me to implement this myself :-(
>>>>>> I can't even follow the code, I guess that was originally considered,
>>>>>> but possibly doesn't work bacause of a simple bug?!? I took the lazy
>>>>>> way
>>>>>> and simply reverted r248895 instead of trying to understand
>>>>>> rtrequest1_fib(). I wish I had the time to learn…
>>>>>>
>>>>>> Thanks for any help,
>>>>>>
>>>>>> -Harry
>>>>>>
>>>>> Hi,
>>>>>
>>>>> As it was suggested before as immediate workaround you can set
>>>>> net.add_addr_allfibs=0 so that the interface routes are added only in
>>>>> the default FIB.
>>>>
>>>> yes, we made two behaviours.
>>>> Add interface routes to all active FIBS or only add them to the first
>>>> fib and let the user populate other fibs as needed.
>>>> It appears you want the second behaviour, so I suggest you use that
>>>> option and set up all your routes manually.
>>>>
>>> Ah, this explains a thing or two.
>>
>> There is an ongoing work to
>> 1) make fibs/allfibs=0 to work better
>> 2) Move forward to make allfibs=0 as default value.
>>>
>>> So when allfibs=0 and an interface is bought up, it's added to the first
>>> FIB automatically (and cannot be removed).
>>>
>>> Is there a way to change which fib the interface route is bought up on?
>>> I tried to 'setfib x ifconfig ....' which didn't work.
>>
>> This will be fixed in near future.
>>>
>>> Failing that, is there a way to change the systems global FIB without
>>> having to run every service with setfib? Basically, the behavour I want
>>> is for interface routes to be bought up on NO fibs, and manually add
>>> them to the fibs I need it on.
>>
>> If ifconfig_ifaceX="fib X inet 1.2.3.4/30" works as expected (changes
>> interface fib to chosen one and announce interface route and host route
>> in this particular fib) - does this sound OK to you?
>
> Yes this sounds good.
>
> If I'm not mistaken the interface FIB only makes sense when the system is
> routing? Because the issue I have is that SYN ACKs from services are being
> routed via the wrong interfaces and interface FIBs do not appear to affect
> that.

The interface FIB is used when forwarding packets and when creating
the initial subnet and host routes when you assign an interface
address.  It's not used for outbound traffic (except in that it
determines where the host and subnet routes get created).  There are
several other FIB bugs that I'm actively working on.  kern/187553
might be related to your problem; it would be great if you could make
a test case.

>
> Allowing interface routes on different FIBs will fix that I think. Or being
> able to remove interface routes from a FIB.
>
> In the mean time, I will probably use FIBs (as opposed to vnet) for my
> jails, but find a way to run the hosts SSHd with a specific FIB. Any easy
> way to do that? Or to specify a system "default FIB" other than 0?

In FreeBSD 10 you can put "sshd_fib=1" in /etc/rc.conf to change that
process's fib.  That will affect the routing of sshd's outbound
packets.  If you also want to limit which interfaces sshd listens on,
you can do that with pf or by setting the ListenAddress in
sshd_config.

-Alan

>
>>>>> --Nikolay
>>>>> _______________________________________________
>>>>> freebsd-net at freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>>>
>>>>>
>>>> _______________________________________________
>>>> freebsd-net at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list