Hi all,
There's an anomaly in 2.2.16 that has to do with policy routing and
source address verification. The kernel seems to not always be able to
do the correct verification if there's complex ruling involved.
*** Setup ***
[eth: external-1 ]-----> myISP
mailhost--+-----[policy-routing 2.2.16]
| [eth: external 2 ]-----> someISP
somehost--+
("poor man's dual homing").
mailhost = 192.168.1.10
somehost = 192.168.1.15
external 1 has the default route set (with dhclient)
Rules:
ip ru a from mailhost/32 to 0/0 pref 500 table main
ip ru a to someISP.0.0/16 pref 1000 table 10
ip ro a someISP.0.0/16 src external-2 via someISP-node dev ppp0 table 10
which means that *all* traffic from the mailhost goes to myISP, then
traffic to "someISP" goes to someISP. Any other traffic ("default") goes
to myISP as well. Of course, the internal network is masqueraded.
*** Problem ***
mailhost$ ping -c 1 someISP
- someISP ping statistics: 100% packet loss
mailhost$ ping -c 1 Whatever
- Whatever ping statistics: 0% packet loss
(this means: it's not mailhost that is wrong here, the network is OK)
somehost$ ping -c 1 someISP
- someISP ping statistics: 0% packet loss
Hey, someISP seems to be OK, too. So, it might be a problem with source
address verificiation, so I type:
policy-routing# for N in /proc/sys/net/ipv4/conf/*/rp_filter; do echo
0>$N; done
Et voilá:
mailhost$ ping -c 1 someISP
- someISP ping statistics: 0% packet loss
Then, I turn on the source address verfy again:
policy-routing# for N in /proc/sys/net/ipv4/conf/*/rp_filter; do echo
1>$N; done
... which results, strangely enough, in:
mailhost$ ping -c 1 someISP
- someISP ping statistics: 0% packet loss
... but a new host gives me:
mailhost$ ping -c 1 someISP-otherserver
- someISP-otherserver ping statistics: 100% packet loss
A packet analyzer shows that, with src route vrfy on:
mailhost ---> ICMP ---> policy-routing
policy-routing-external-1 ->---->[myISP]--->someISP
someISP->---[myISP]--->policy-routing-external-1
then seems to drop afterwards (the last step isn't taken).
The problem is, probably, that the policy routing, then masquerading,
flips Linux into thinking that someISP coming from external-1 is a
forgery.
Now I would agree immediately that having source route verification on a
network that is connected to the outside world might be useless, since a
few IPchains rules can accomplish the same. Nevertheless, the current
implementation could use some minor tweaking.
I'm sorry that, not being a kernel hacker, I cannot do anyting more. I
tried to find source address verification in the sources, but I couldn't
find it (yeah, stupid huh?). Maybe this is a programming issue, it might
also be just a documentation issue ("you cannot use source address
verification if you have policy routing with masquerading turned on").
I'm also not sure what happens in the above setup if I turn off
masquerading, but I am unfortunately unable to test this, as I don't
have an IP range with which I can test it.
Nevertheless, I hope this helps building Linux :-)
Best regards,
Valentijn Sessink
--- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jul 15 2000 - 21:00:16 EST