npf and source routing

Discussion:

(too old to reply)

Manuel Bouyer

2020-10-11 10:33:14 UTC

Hello,
on a multihomed host I'd need to do some source based routing: it has 2
default routes on 2 different interfaces, I want replies to packets coming from
vlan0 to go out via vlan0, and replies to packets coming from vlan1 to go out
via vlan1. I have the default route set to the router on vlan0.

With ipf this would be something like:
pass out on vlan0 to vlan1:10.0.0.1 from 10.0.0.0/24 to any

Is it possible to do something similar with npf ? I didn't find this in
npf.conf.

--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Mouse

2020-10-11 12:58:48 UTC

Permalink

on a multihomed host I'd need to do some source based routing: [...]

Sounds like what srt is designed for. (If srt has survived to the
version you're using, that is.)

Of course, I may be a trifle biased.... :-)

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Manuel Bouyer

2020-10-11 17:43:54 UTC

Permalink

Post by Mouse

on a multihomed host I'd need to do some source based routing: [...]

Sounds like what srt is designed for. (If srt has survived to the
version you're using, that is.)

srt is still here. But the documentation isn't very explicit on setup;
how do you force outgoing packets to go through srt ?

Mouse

2020-10-11 18:52:59 UTC

Permalink

Post by Mouse
Sounds like what srt is designed for. (If srt has survived to the
version you're using, that is.)

srt is still here. But the documentation isn't very explicit on
setup; how do you force outgoing packets to go through srt ?

The same way you get outgoing traffic to use any other interface. I
typically do it by establishing a route out the srt interface,
something like

ifconfig srt0 my.ad.dre.ss 10.255.255.254
route add default 10.255.255.254
...srtconfig commands to set up srt0...

(I usually use srt0 for my default route. Change the route add as
appropriate.)

If I assume a setup like

vlan0 10.0.0.2/24, upstream at 10.0.0.1
vlan1 172.16.0.2/24, upstream at 172.16.0.1

with connections I initiate using the vlan0 address, then my first cut
would be something like

...set up vlan0 and vlan1...
ifconfig srt0 10.0.0.2 10.255.255.254
route add default 10.255.255.254
srtconfig srt0 set 0 10.0.0.0/24 vlan0 10.0.0.1
srtconfig srt0 set 1 172.16.0.0/24 vlan1 172.16.0.1

The choice of 10.0.0.2 as the srt0 address is because connections this
host initiates will, at least in my experience, use the primary address
of the interface the default route points out as their address, and I
assumed host-initiated connections should use the vlan0 address.

If vlan0 and/or vlan1 use(s) DHCP for addressing, I'd use the hooks
provided by dhclient-script to prevent DHCP from actually installing a
default route in the kernel.

I don't recall whether I ever made srt handle IPv6.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Roy Marples

2020-10-11 20:18:10 UTC

Permalink

Post by Mouse
If vlan0 and/or vlan1 use(s) DHCP for addressing, I'd use the hooks
provided by dhclient-script to prevent DHCP from actually installing a
default route in the kernel.

For reference this is also do-able in dhcpcd in two ways
1) follow the mouse and tell dhcpcd not to install a default route:

Add nogateway to dhcpcd.conf
OR
dhcpcd_flags="-G" in rc.conf

2) tell dhcpcd to use a low metric to ensure it takes precedence and use the
destination address as the default route.

interface srt0
metric 0
static ip_address=
destinaton routers

The latter solution allows you to take down srt0 and dhcpcd will swap the
default route to the next preferred interface. And restore it when you bring
srt0 back again.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Manuel Bouyer

2020-10-14 13:06:28 UTC

Permalink

Post by Mouse

Post by Mouse
Sounds like what srt is designed for. (If srt has survived to the
version you're using, that is.)

srt is still here. But the documentation isn't very explicit on
setup; how do you force outgoing packets to go through srt ?

unfortunably I couldn't get it to work. When I set the default route
to 10.255.255.254, packet don't go out, on eiter interface.
This is on netbsd-9 evbarm.

So back to ipfilter (yet another reason why we need to keep ipfilter, it seems)

Robert Elz

2020-10-14 14:47:51 UTC

Permalink

Date: Wed, 14 Oct 2020 15:06:28 +0200
From: Manuel Bouyer <***@antioche.eu.org>
Message-ID: <***@mail.soc.lip6.fr>

| unfortunably I couldn't get it to work. When I set the default route
| to 10.255.255.254, packet don't go out, on eiter interface.
| This is on netbsd-9 evbarm.

That should work, if configured properly.

Check the routing table, make sure that the default route picked
srt0 as its destination interface (and the the rest of the routing
is correct). srt simply calls the interface output routine for the
interface selected by the source addr matching, so as long as the
packets you want to switch this way all go to the srt interface,
and the src addr of those packets matches something you have configured
with srtconfig, it should just work.

kre

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Manuel Bouyer

2020-10-14 15:25:18 UTC

Permalink

Post by Robert Elz
Date: Wed, 14 Oct 2020 15:06:28 +0200
| unfortunably I couldn't get it to work. When I set the default route
| to 10.255.255.254, packet don't go out, on eiter interface.
| This is on netbsd-9 evbarm.
That should work, if configured properly.
Check the routing table, make sure that the default route picked
srt0 as its destination interface (and the the rest of the routing
is correct). srt simply calls the interface output routine for the
interface selected by the source addr matching, so as long as the
packets you want to switch this way all go to the srt interface,
and the src addr of those packets matches something you have configured
with srtconfig, it should just work.

but it doens't. I double-checked everything, rebooted and created the
setup again, notyhing changed it. As soon as I set up the route through
srt0, the outgoing packets for non-local networks seems to fall in a black
hole. I can't see then on any interface.

Anyway with ipf it works, so that's what I'm going to use for now.

Anthony Mallet

2020-10-12 10:34:30 UTC

Permalink

Post by Mouse
Sounds like what srt is designed for. (If srt has survived to the
version you're using, that is.)

I remember I wanted to git it a try some time ago, but the "srt is
EXPERIMENTAL" comment in conf/ALL discouraged me. Is that comment
still relevant?

Anyway, thanks for the setup tutorial! Maybe it should be added to the
srtconfig man page?

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Mouse

2020-10-12 11:12:41 UTC

Permalink

Post by Anthony Mallet

Post by Mouse
Sounds like what srt is designed for.

I remember I wanted to git it a try some time ago, but the "srt is
EXPERIMENTAL" comment in conf/ALL discouraged me. Is that comment
still relevant?

I don't know. I've been using it routinely. I'm not aware of anyone
else who has been, but I wouldn't expect to be. I have not, however,
been using it in anything past 5.2, because I don't run anything past
5.2 (for unrelated reasons)[%], so I have no experience to say whether
or not it's bitrotted.

[%] Except at work, and the work setup isn't using srt.

Post by Anthony Mallet
Anyway, thanks for the setup tutorial! Maybe it should be added to
the srtconfig man page?

You're welcome! Putting it somewhere would be reasonable - either in
the manpage or somewhere else (/usr/share/examples?) with a pointer
from the manpage.

Rereading what I wrote, though, I think I made a mistake.

Post by Anthony Mallet
srtconfig srt0 set 0 10.0.0.0/24 vlan0 10.0.0.1
srtconfig srt0 set 1 172.16.0.0/24 vlan1 172.16.0.1

I think those need to be

srtconfig srt0 set 0 10.0.0.0 /24 vlan0 10.0.0.1
srtconfig srt0 set 1 172.16.0.0 /24 vlan1 172.16.0.1

(this is a misfeature in srtconfig; someone(tm) should fix it).

It's been years since I was in a position to commit anything, though.
I could send-PR it, or you could; since you're presumably using the
more recent system, it might make more sense for you to.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Elz

2020-10-12 12:53:23 UTC

Permalink

Date: Mon, 12 Oct 2020 07:12:41 -0400 (EDT)
From: Mouse <***@Rodents-Montreal.ORG>
Message-ID: <***@Stone.Rodents-Montreal.ORG>

| I've been using it routinely. I'm not aware of anyone else who has been,

I do, it is used for IPv6 routing on munnari to deal with ingress
filtering in the two (different) v6 networks that munnari is connected to.

My config is different than yours, I don't bother giving the srt
interface an address (except a v6 LL addr) ... it all seems to work
just fine.

Is there a reason you use "srtconfig srt0 set" instead of "add" ?

kre

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Mouse

2020-10-12 13:32:12 UTC

Permalink

Post by Robert Elz

Post by Robert Elz
I've been using it routinely. I'm not aware of anyone else who has
been,

I do, it is used for IPv6 routing on munnari to deal with ingress
filtering in the two (different) v6 networks that munnari is
connected to.

Cool, so (a) it's being useful, and (b) it's being at least mostly
protected against bitrot.

Post by Robert Elz
My config is different than yours, I don't bother giving the srt
interface an address (except a v6 LL addr) ... it all seems to work
just fine.

I give it an address only for the sake of being able to point a route
destination out it. How do you arrange to get packets sent out it in
your config? A route pointing to a LL address? ipf? Something else?

Hm, that's odd; I'm not seeing a v6 LL address on my srt0, and that
machine is my main house router, so it definitely has v6 turned on.
Maybe a version difference, maybe I broke something else...someday
maybe I should investigate, but at the moment I'm inclined to not
meddle with something that's not actively broken.

Post by Robert Elz
Is there a reason you use "srtconfig srt0 set" instead of "add" ?

No, not really, possibly excepting idempotency - if you use set, you
can repeat those setup commands without any harm, whereas if you use
add for your setup commands, repeating them won't eliminate the
(possibly incorrect) old configuration and will lead to ballooning the
config unnecessarily. (Whether this matters, of course, depends on
whether that's an important use case.)

Oh, one note I also forgot to mention: if the configuration settings
are mutually exclusive (which they were in my example - no packet can
match both config entries), so that relative order doesn't matter for
correctness, then for the sake of performance you might want to make
sure the commoner ones end up lower-numbered than the rarer ones.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Elz

2020-10-12 15:29:02 UTC

Permalink

Date: Mon, 12 Oct 2020 09:32:12 -0400 (EDT)
From: Mouse <***@Rodents-Montreal.ORG>
Message-ID: <***@Stone.Rodents-Montreal.ORG>

| I give it an address only for the sake of being able to point a route
| destination out it. How do you arrange to get packets sent out it in
| your config? A route pointing to a LL address?

That one. IPv6 routes almost always use LL addresses. My srt0 config
(from /etc/ifconfig.srt0) is ...

create
inet6 fe80::1%srt0
up
!srtconfig srt0 add 2001:3c8:9009:181::2 /64 xennet0 fe80::1
!srtconfig srt0 add 2001:3c8:9007:1::21 /64 xennet1 fe80::9007:1:1
!srtconfig srt0 add 0::0 /0 xennet0 fe80::1
#
!route -q add -inet6 default fe80::1%srt0

Note that I don't care (nor does anything else) that srt's are nominally
p2p interfaces (that is, I don't bother setting a meaningless destination
address).

| Hm, that's odd; I'm not seeing a v6 LL address on my srt0,

If you don't assign it one, none will appear. But you also (on -5)
might be running an if_srt version old enough that v6 didn't work properly
at all. That was fixed ages ago, but I'm not sure how many ages.

kre

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de