[LARTC] iproute2 and routing entries

[LARTC] iproute2 and routing entries

[Michael]

<PRE>Hi guys,

i am just playing around with iproute2 and some questions came to my mind.

I¥m wondering why I get a route entry for the subnet of eth0s primary addr 
if I use the command &quot;ip link set eth0 up&quot;. 

I¥m personally not a friend of such behaviour, because I often need some
strange routing set-ups. Is it possible to avoid this behaviour, meaning I
only get routing entries if I really set them by myself?

Thanks in advance

   .\\ichael Schoen

--
 Michael Schoen   &lt;<A HREF="mailto:schoen@anduras.de">schoen@anduras.de</A>&gt;                      _/_/_/
                                                          _/_/_/
 ANDURAS AG i.G.      Internet: www.anduras.de           _/_/_/
 Innstrafle 71         Tel: 0851/4 90 50-0               _/_/_/
 94036 Passau         Fax: 0851/4 90 50-55             _/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/



</PRE>

[LARTC] iproute2 and routing entries

[bert]

<PRE>On Thu, Nov 02, 2000 at 06:35:48PM +0100, Michael Schoen wrote:
&gt;<i> Hi guys,
</I>&gt;<i> 
</I>&gt;<i> i am just playing around with iproute2 and some questions came to my mind.
</I>&gt;<i> 
</I>&gt;<i> I´m wondering why I get a route entry for the subnet of eth0s primary addr 
</I>&gt;<i> if I use the command &quot;ip link set eth0 up&quot;. 
</I>&gt;<i> 
</I>&gt;<i> I´m personally not a friend of such behaviour, because I often need some
</I>&gt;<i> strange routing set-ups. Is it possible to avoid this behaviour, meaning I
</I>&gt;<i> only get routing entries if I really set them by myself?
</I>
This behaviour has been hotly contested on the linux kernel mailinglist,
perhaps the archives can tell you if there is a way around this.

Also read the 'ifconfig replacement script' bij Alexey which contains Deeper
Magic which might be useful.

Regards,

bert hubert

-- 
PowerDNS                     Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet


</PRE>

[LARTC] iproute2 and routing entries

[Martijn]

<PRE>bert hubert wrote:
&gt;<i> 
</I>&gt;<i> On Thu, Nov 02, 2000 at 06:35:48PM +0100, Michael Schoen wrote:
</I>&gt;<i> &gt; Hi guys,
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; i am just playing around with iproute2 and some questions came to my mind.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; I´m wondering why I get a route entry for the subnet of eth0s primary addr
</I>&gt;<i> &gt; if I use the command &quot;ip link set eth0 up&quot;.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; I´m personally not a friend of such behaviour, because I often need some
</I>&gt;<i> &gt; strange routing set-ups. Is it possible to avoid this behaviour, meaning I
</I>&gt;<i> &gt; only get routing entries if I really set them by myself?
</I>&gt;<i> 
</I>&gt;<i> This behaviour has been hotly contested on the linux kernel mailinglist,
</I>&gt;<i> perhaps the archives can tell you if there is a way around this.
</I>
The reason is that by setting an interface with the IP address A and netmask
B you are implying that there is a network attached with the network address
A&amp;~B with the given netmask and so a route should be added appropriately.

The last I heard was that one of the networking guys gave this explanantion
and challenged someone to give an example of where this was the wrong
thing to do. The thread died there IIRC.

Personally I think it's a great feature because in at least 99.99% of 
cases it's exactly what you want and I havn't found an example of the
other 0.01%.

-- 
Martijn van Oosterhout &lt;<A HREF="mailto:kleptog@cupid.suninternet.com">kleptog@cupid.suninternet.com</A>&gt;
<A HREF="http://cupid.suninternet.com/~kleptog/">http://cupid.suninternet.com/~kleptog/</A>


</PRE>

[LARTC] iproute2 and routing entries

[Michael]

<PRE>hi,
&gt;<i> The last I heard was that one of the networking guys gave this explanantion
</I>&gt;<i> and challenged someone to give an example of where this was the wrong
</I>&gt;<i> thing to do. The thread died there IIRC.
</I>&gt;<i> 
</I>&gt;<i> Personally I think it's a great feature because in at least 99.99% of 
</I>&gt;<i> cases it's exactly what you want and I havn't found an example of the
</I>&gt;<i> other 0.01%.
</I>
okay - here¥s a strange set-up, but if you think over it, it has some nice
advantages.

Assume you have a public network (e.g. 132.231.1.0) routed to your fw/gateway. 
For the dmz you use a private network (e.g. 10.10.10.0). In the dmz you have 
two public server (www 132.231.1.1 and mail 132.231.1.2).

on the internal interface of the gw/fw use the ip 10.10.10.254. The two
public server have the 2nd adress 10.10.10.1 (www) and 10.10.10.2 (mail).

Now use the following route-entries:

www and mail:
10.10.10.0/24 -&gt; eth0
default	      -&gt; 10.10.10.254

and on the firewall you set the following route entries:
10.10.10.0/24 -&gt; eth0
132.231.1.1/32 -&gt; 10.10.10.1
132.231.1.2/32 -&gt; 10.10.10.2

This design has the (dis?)advantage that every packet with public ip
addresses within the dmz is routed again over the fw/gw. For some 
security/accounting reasons this is not a bad idea &lt;g&gt;


   .\\ichael Schoen

--
 Michael Schoen   &lt;<A HREF="mailto:schoen@anduras.de">schoen@anduras.de</A>&gt;                      _/_/_/
                                                          _/_/_/
 ANDURAS AG i.G.      Internet: www.anduras.de           _/_/_/
 Innstrafle 71         Tel: 0851/4 90 50-0               _/_/_/
 94036 Passau         Fax: 0851/4 90 50-55             _/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/



</PRE>