source route ignored in favor of local interface

source route ignored in favor of local interface

[Joe Buehler]

I have a LINUX box talking on many different networks at the same time.  Since
IP addresses on the networks can overlap (they are completely different
networks) we use source routing and NAT to get packets going in and out of the
right interfaces.

Everything works great, with one exception.  If I try to talk to a remote host
that happens to have the same IP address as one of my interfaces, the kernel
routes the packet to the local interface.

It looks to me as though the problem is that the source routes are lower
priority than the local interfaces.  As soon as the kernel sees a destination
address that matches a local interface it routes to the local interface and pays
no attention to the source route.

I consider this a bug.  Is there any way to change this behavior?

The kernel involved is 2.6.27.7, with patches from Cavium for support of their
hardware.

Joe Buehler

Re: source route ignored in favor of local interface

[Chris Friesen]

On 03/01/2011 08:57 AM, Joe Buehler wrote:
> I have a LINUX box talking on many different networks at the same time.  Since
> IP addresses on the networks can overlap (they are completely different
> networks) we use source routing and NAT to get packets going in and out of the
> right interfaces.
> 
> Everything works great, with one exception.  If I try to talk to a remote host
> that happens to have the same IP address as one of my interfaces, the kernel
> routes the packet to the local interface.
> 
> It looks to me as though the problem is that the source routes are lower
> priority than the local interfaces.  As soon as the kernel sees a destination
> address that matches a local interface it routes to the local interface and pays
> no attention to the source route.
> 
> I consider this a bug.  Is there any way to change this behavior?

How exactly do you expect it to handle this case?  You've explicitly
told your host that its address is X, so why would it expect to find
that address assigned to another machine on the network?  Suppose you
have an app listening on INADDR_ANY, and it gets a packet from that
adddres--how does it know whether the packet is destined to the local
machine or the remote one?

If you really want to modify things, have you looked at your ip rules?
"ip ru" will dump them.  Typically it looks something like

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

The last item in each row is the name of the routing table.  As you can
see, the first rule is for local interfaces, and a later rule deals with
the main and default routing tables.

You could move the local lookup to rule 1 and add in a new rule 0
specifically dealing with your situation.

Chris



-- 
Chris Friesen
Software Developer
GENBAND
chris.friesen@genband.com
www.genband.com

Re: source route ignored in favor of local interface

[Joe Buehler]

> If you really want to modify things, have you looked at your ip rules?
> "ip ru" will dump them.  Typically it looks something like
> 
> 0:      from all lookup local
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> The last item in each row is the name of the routing table.  As you can
> see, the first rule is for local interfaces, and a later rule deals with
> the main and default routing tables.
> 
> You could move the local lookup to rule 1 and add in a new rule 0
> specifically dealing with your situation.

We have tried some variations on modifications to ip rules, but the
kernel appears to treat rule 0 specially -- it cannot be deleted, for
example.  This results in the enforcing of local interfaces before
source routes -- surely something that should be a policy decision, not
hard-coded.

Let me rephrase and ask: Does anyone know how to replace the priority 0
rule?

Joe Buehler

Re: source route ignored in favor of local interface

[Ben Greear]

On 03/01/2011 11:31 AM, Joe Buehler wrote:
>> If you really want to modify things, have you looked at your ip rules?
>> "ip ru" will dump them.  Typically it looks something like
>>
>> 0:      from all lookup local
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>>
>> The last item in each row is the name of the routing table.  As you can
>> see, the first rule is for local interfaces, and a later rule deals with
>> the main and default routing tables.
>>
>> You could move the local lookup to rule 1 and add in a new rule 0
>> specifically dealing with your situation.
>
> We have tried some variations on modifications to ip rules, but the
> kernel appears to treat rule 0 specially -- it cannot be deleted, for
> example.  This results in the enforcing of local interfaces before
> source routes -- surely something that should be a policy decision, not
> hard-coded.
>
> Let me rephrase and ask: Does anyone know how to replace the priority 0
> rule?

You can do this on more modern kernels (2.6.36 and later definately works..not sure
about earlier).

		ip rule add pref 512 lookup local
		ip rule del pref 0 lookup local

Thanks,
Ben

>
> Joe Buehler
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: source route ignored in favor of local interface

[Joe Buehler]

Ben Greear wrote:

> You can do this on more modern kernels (2.6.36 and later definately
> works..not sure
> about earlier).
> 
>         ip rule add pref 512 lookup local
>         ip rule del pref 0 lookup local
> 

The kernel change for this in later kernels was simple enough -- there
is a flag that prevents deletion of the "local" table rule, just remove
the flag.  Here is a patch for 2.6.24.7.  The patch for 2.6.27.7 (I am
using both versions) is almost the same.

--- old/net/ipv4/fib_rules.c	2008-01-24 17:58:37.000000000 -0500
+++ new/net/ipv4/fib_rules.c	2011-06-08 14:01:19.000000000 -0400
@@ -297,7 +297,7 @@
 	int err;

 	err = fib_default_rule_add(&fib4_rules_ops, 0,
-				   RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+				   RT_TABLE_LOCAL, 0);
 	if (err < 0)
 		return err;
 	err = fib_default_rule_add(&fib4_rules_ops, 0x7FFE,
--- old/net/ipv6/fib6_rules.c	2008-01-24 17:58:37.000000000 -0500
+++ new/net/ipv6/fib6_rules.c	2011-06-08 14:01:34.000000000 -0400
@@ -256,7 +256,7 @@
 	int err;

 	err = fib_default_rule_add(&fib6_rules_ops, 0,
-				   RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+				   RT6_TABLE_LOCAL, 0);
 	if (err < 0)
 		return err;
 	err = fib_default_rule_add(&fib6_rules_ops, 0x7FFE, RT6_TABLE_MAIN, 0);


Joe Buehler