Re: Kernel Routing sequence

From: Henrik Nordstrom
Date: Mon Aug 15 2005 - 15:53:59 EST


On Mon, 15 Aug 2005, Al Boldi wrote:

Soininen Jonne (Nokia-NET/Helsinki) wrote:
Al, why are you worried that the echo reply goes out from a
different interface? It might be easier to understand what you want
if we would understand the problem.

The problem is that the kernel is routing according to a fixed view of
allowed subnets, ie: overlapping subnets are not treated distinctly.

It should be possible for the kernel to detect an IP subnet-collision
on packet pickup, something like:

eth0 is listening on 10.0.0.0/8
eth0 picks up 10.0.1.2 on 10.0.0.0/8
kernel checks the route table
kernel discovers collision with 10.0.1.0/24 on eth1
kernel adds 10.0.1.2/32 route on eth0 to ensure correct routing for
return packets

And what do you propose it is supposed to do when it later sees a packet from 10.0.1.2 on eth1?

What you are looking for above is policy routing as mentioned numerous times in this discussion. With policy routing you simply define that return traffic from 10.0.0.1 (eth1) to 10.X goes out on eth0 and things just works with the only restriction that clients on eth1 (10.0.1.2/24) should talk to 10.0.1.2 and clients on eth0 (10.0.0.1/8) should talk to 10.0.0.1.

The Linux kernel is not at all fixed in these views, but the default view is that one subnet exists in a single place only. If your network policy does not fit this for whatever reason then policy based routing can often solve your routing needs. And when policy routing alone is not sufficient iptables MARK and CONNMARK can help providing additional feedback to the routing based on previous events seen for the traffic flow.

If policy based routing + CONNMARK can not solve your problem then you are way too deep out in a big mess and really should consider redesign the network, or when that is not possible how you connect to it.

If you at all need to look at these features (policy routing and especially in combination with CONNMARK) then you are already in quite deep murky waters, and should consider redesigning your network.


But all of this can be adjusted to your liking. Even the hard restriction mentioned earlier that no clients may use an address which is assigned to a local interface. It is mostly a matter of making your routing policy correct. You can even run a Linux box with the same IP (lets say 172.16.0.1) assigned on two different interfaces each connecting to different clients networks both sharing another IP (lets say 172.16.0.2). There is only some restrictions on TCP/IP reliability in such configurations if the clients happens to select the same client side port in their connections to the server, but for most time it just works.

Regards
Henrik
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html