Deleting IPv4 iface-routes from extra FIBs

[Harald Schmalzbauer]

Hello,

here, http://svnweb.freebsd.org/base?view=revision&revision=248895
interface route protection was added (so the following problem arose
with 9.2).

Unfortunately, in my case, I must be able to delete these routes; not in
the default FIB, but in jail's fibs, because:
· Host is multihomed with multiple nics in different subnets.
· Jail's IP (no vnet) is from a different subnet than host's
default-router subnet – jail has no ip in the range of host's
default-router!!!
· FIB used by jail contains valid default-router.

Problem:
If iface-routes exist in jail's FIB, answer-packets take the
iface-shortcut, not trespassing the router (default gateway); hence
3way-handshake never finishes and firewall terminates (half-opened) TCP
sessions.

Workarround:
· Abuse packet filter doing some kind of route-to…
· Revert r248895, to be able to delete v4-iface-routes (inet6-routes can
be deleted without any hack)

Desired solution:
· Allow deletion of v4-iface-routes if FIB!=0.

Unfortunately my C skills don't allow me to implement this myself :-(
I can't even follow the code, I guess that was originally considered,
but possibly doesn't work bacause of a simple bug?!? I took the lazy way
and simply reverted r248895 instead of trying to understand
rtrequest1_fib(). I wish I had the time to learn…

Thanks for any help,

-Harry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140422/4ad3b8f3/attachment.sig>