Re: can I use ip route to dst:port

To:	Joseph Mack <mack.joseph@xxxxxxx>
Subject:	Re: can I use ip route to dst:port
Cc:	Joseph Mack <mack.joseph@xxxxxxxxxxxxxxx>, <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, Roberto Nibali <ratz@xxxxxx>, Horms <horms@xxxxxxxxxxxx>, <busterb@xxxxxxxxxxxxxxx>, <J.D.F.Palmer@xxxxxxxxxxxxx>
From:	Julian Anastasov <ja@xxxxxx>
Date:	Sat, 30 Mar 2002 01:16:49 +0000 (GMT)

        Hello,

On Fri, 29 Mar 2002, Joseph Mack wrote:

> when I do
>
> ip route add from 0/0 via SERVER_GW table 3_TIER

ip route does not have "from XXX" as argument, may be ip rule, then
"via XXX" is not allowed for ip rules, something is wrong here

> realserver:/etc/lvs/# ip rule show
> 0:    from all lookup local

# allow direct talks, no gateways used. even RIP can talk with direct nets
ip rule add prio 50 table main

# Below follow routes via gateways

# Block from RIP to universe except the marked traffic:
> 99:   from RIP fwmark         1 lookup 3_TIER

ip rule add prio 100 from RIP prohibit

> 200:  from all lookup 3_TIER

RIP can't talk with direct routes? Why? Remove it:

> 250:  from RIP lookup main prohibit
> 32766:        from all lookup main
> 32767:        from all lookup 253
>
> realserver:/etc/lvs# ip route show table 3_TIER
> default via SERVER_GW dev eth0

default via SERVER_GW dev eth0 src RIP

I'm not sure but it seems the localout fwmarking is useless. You
can use it only for rerouting, may be at routing time we
hit the bad routes. At route connection time we are simply before
any LOCAL_OUT games. So, LOCAL_OUT manging+rerouting works only
when the initial route connection suceeds which is not true for
our case where we blindly rely on fwmark. It is not set yet for
locally generated traffic. The order is:

1. TCP calls ip_route_connect

        ip route get to DEST => we hit the rule "from all"

        then use the SRC and DEST to select a new entry:
        ip route get from SRC to DEST => we hit the rule "from RIP"
                without fwmark => prohibit

2. ip_queue_xmit calls LOCAL_OUT where the packet should be marked
and then rerouting but ... we don't reach that point because
ip_route_connect() fails. tcp_v4_connect() simply can't autoselect
src IP. Note that LOCAL_OUT should reroute to a route that is
a subset of the initial route result. If not, we are in state that
TCP binds to wrong addresses.

        That was the theory, the practice can show different
results :) We should suspect any rerouting at local_out.
The default restrictive policy for routing rules is not the
recommended one. May be our policy should be:

- by default allow route connections

- at LOCAL_OUT drop the fwmarked traffic

        So, this does not give a solution for src autoselection.
It serves only filtering purposes.

> I think I will go have a beer.

        Go for another one :)

> Joe

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
Re: can I use ip route to dst:port, (continued) Re: can I use ip route to dst:port, Padraig Brady Re: can I use ip route to dst:port, Roberto Nibali Re: can I use ip route to dst:port, Roberto Nibali Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov <= Re: can I use ip route to dst:port, mack@xxxxxxxxxxxx

Previous by Date:	Re: can I use ip route to dst:port, Joseph Mack
Next by Date:	Re: can I use ip route to dst:port, mack@xxxxxxxxxxxx
Previous by Thread:	Re: can I use ip route to dst:port, Joseph Mack
Next by Thread:	Re: can I use ip route to dst:port, mack@xxxxxxxxxxxx
Indexes:	[Date] [Thread] [Top] [All Lists]