IPv6 Policy based routing not working.

IPv6 Policy based routing not working.

[Tushar Shinde]

Hello NetDev,

I am facing problem where if ipv6 route (outside to current subnet) is
reachable only if route is present in main table. Policy based routes
are not working.

Following is my setup,

eth0   inet6 2001:1::10/120 scope global
eth1   inet6 2001:1::11/120 scope global
2001:1::1 is gateway
2.6.32-431.11.2.el6.x86_64 kernel (I tried on 3.x also)

[root@ipv6node1 ~]# ip -6 route show tab 1
2001:1::/120 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:1::1 dev eth0  metric 1024  mtu 1500 advmss 1440
hoplimit 4294967295
[root@ipv6node1 ~]#
[root@ipv6node1 ~]# ip -6 route show tab 2
2001:1::/120 dev eth1  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:1::1 dev eth1  metric 1024  mtu 1500 advmss 1440
hoplimit 4294967295
[root@ipv6node1 ~]#
[root@ipv6node1 ~]# ip -6 rule show
0:    from all lookup local
16383:    from 2001:1::10 lookup 1
16383:    from 2001:1::11 lookup 2
32766:    from all lookup main
[root@ipv6node1 ~]#

If I add default vai eth0 only ip of eth0 is reachable from outside or
eth1 dont work. In above setup default route is not present.

But default entry in "table" is never getting used to resolve route

[root@ipv6node1 ~]# ping6 -I eth0 2001:2::20
connect: Network is unreachable
[root@ipv6node1 ~]#
[root@ipv6node1 ~]# ping6 -I eth1 2001:2::20
connect: Network is unreachable
[root@ipv6node1 ~]#


To dig further I added printks and found fib6_rule_match function
return 1 only for table 255 and 254 rest all tables are skipped from
search.

fib6_rule_match
if (r->src.plen) {
                if (flags & RT6_LOOKUP_F_HAS_SADDR) {
                        if (!ipv6_prefix_equal(&fl->fl6_src, &r->src.addr,
                                               r->src.plen)) {
                                printk(KERN_ALERT "TS: %s:%d ret 0\n",
__func__, __LINE__);
                                return 0;
                        }
                } else if (!(r->common.flags & FIB_RULE_FIND_SADDR)) {
                        printk(KERN_ALERT "TS: %s:%d ret 0\n",
__func__, __LINE__);
           >>>             return 0;
                }
}

In case of above ping code returns from FIB_RULE_FIND_SADDR check as
pointed above.

In above case flags is 1, that is RT6_LOOKUP_F_IFACE.
Do I need to pass any extra option to ping?

Same routing table works in case of IPv4 setup without any problem.
Is policy based routing supported in ipv6?


Thank you,
Tushar

Re: IPv6 Policy based routing not working.

[Hannes Frederic Sowa]

Hi,

On Di, 2014-08-26 at 21:32 +0530, Tushar Shinde wrote:
> Hello NetDev,
> 
> I am facing problem where if ipv6 route (outside to current subnet) is
> reachable only if route is present in main table. Policy based routes
> are not working.
> 
> Following is my setup,
> 
> eth0   inet6 2001:1::10/120 scope global
> eth1   inet6 2001:1::11/120 scope global
> 2001:1::1 is gateway
> 2.6.32-431.11.2.el6.x86_64 kernel (I tried on 3.x also)
> 
> [root@ipv6node1 ~]# ip -6 route show tab 1
> 2001:1::/120 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
> default via 2001:1::1 dev eth0  metric 1024  mtu 1500 advmss 1440
> hoplimit 4294967295
> [root@ipv6node1 ~]#
> [root@ipv6node1 ~]# ip -6 route show tab 2
> 2001:1::/120 dev eth1  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
> default via 2001:1::1 dev eth1  metric 1024  mtu 1500 advmss 1440
> hoplimit 4294967295
> [root@ipv6node1 ~]#
> [root@ipv6node1 ~]# ip -6 rule show
> 0:    from all lookup local
> 16383:    from 2001:1::10 lookup 1
> 16383:    from 2001:1::11 lookup 2
> 32766:    from all lookup main
> [root@ipv6node1 ~]#
> 
> If I add default vai eth0 only ip of eth0 is reachable from outside or
> eth1 dont work. In above setup default route is not present.
> 
> But default entry in "table" is never getting used to resolve route
> 
> [root@ipv6node1 ~]# ping6 -I eth0 2001:2::20
> connect: Network is unreachable
> [root@ipv6node1 ~]#
> [root@ipv6node1 ~]# ping6 -I eth1 2001:2::20
> connect: Network is unreachable
> [root@ipv6node1 ~]#

ping6 selects the ipv6 address based on netlink route lookup given the
specified interface but without setting the source address. That said,
it is probable that the rule lookup happens with a completely different
ipv6 address. Please verify this. ping6 -I also accepts a source ipv6
address, can you try this?

Otherwise please specify with which 3.x kernel you tested this.

Thanks,
Hannes

Re: IPv6 Policy based routing not working.

[Tushar Shinde]

Hi Hannes,

Thank you for reply.

I tested it will 2 kernels 2.6.32-431.11.2.el6.x86_64, and ubuntu
14.04 kernel 3.13.

ping6 -I <IPv6 src ip> <dest> is working. I also verified ssh with -b working.

So my question is, is it necessary to give bind address to make source
based routing work? why don't it select ip address of given bind
interface? Because of this SO_BINDTODEVICE may not work as expected.

Tushar


On Wed, Aug 27, 2014 at 3:31 AM, Hannes Frederic Sowa
<hannes@stressinduktion.org> wrote:
> Hi,
>
> On Di, 2014-08-26 at 21:32 +0530, Tushar Shinde wrote:
>> Hello NetDev,
>>
>> I am facing problem where if ipv6 route (outside to current subnet) is
>> reachable only if route is present in main table. Policy based routes
>> are not working.
>>
>> Following is my setup,
>>
>> eth0   inet6 2001:1::10/120 scope global
>> eth1   inet6 2001:1::11/120 scope global
>> 2001:1::1 is gateway
>> 2.6.32-431.11.2.el6.x86_64 kernel (I tried on 3.x also)
>>
>> [root@ipv6node1 ~]# ip -6 route show tab 1
>> 2001:1::/120 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
>> default via 2001:1::1 dev eth0  metric 1024  mtu 1500 advmss 1440
>> hoplimit 4294967295
>> [root@ipv6node1 ~]#
>> [root@ipv6node1 ~]# ip -6 route show tab 2
>> 2001:1::/120 dev eth1  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
>> default via 2001:1::1 dev eth1  metric 1024  mtu 1500 advmss 1440
>> hoplimit 4294967295
>> [root@ipv6node1 ~]#
>> [root@ipv6node1 ~]# ip -6 rule show
>> 0:    from all lookup local
>> 16383:    from 2001:1::10 lookup 1
>> 16383:    from 2001:1::11 lookup 2
>> 32766:    from all lookup main
>> [root@ipv6node1 ~]#
>>
>> If I add default vai eth0 only ip of eth0 is reachable from outside or
>> eth1 dont work. In above setup default route is not present.
>>
>> But default entry in "table" is never getting used to resolve route
>>
>> [root@ipv6node1 ~]# ping6 -I eth0 2001:2::20
>> connect: Network is unreachable
>> [root@ipv6node1 ~]#
>> [root@ipv6node1 ~]# ping6 -I eth1 2001:2::20
>> connect: Network is unreachable
>> [root@ipv6node1 ~]#
>
> ping6 selects the ipv6 address based on netlink route lookup given the
> specified interface but without setting the source address. That said,
> it is probable that the rule lookup happens with a completely different
> ipv6 address. Please verify this. ping6 -I also accepts a source ipv6
> address, can you try this?
>
> Otherwise please specify with which 3.x kernel you tested this.
>
> Thanks,
> Hannes
>
>

Re: IPv6 Policy based routing not working.

[Hannes Frederic Sowa]

On Mi, 2014-08-27 at 10:24 +0530, Tushar Shinde wrote:
> Hi Hannes,
> 
> Thank you for reply.
> 
> I tested it will 2 kernels 2.6.32-431.11.2.el6.x86_64, and ubuntu
> 14.04 kernel 3.13.
> 
> ping6 -I <IPv6 src ip> <dest> is working. I also verified ssh with -b working.
> 
> So my question is, is it necessary to give bind address to make source
> based routing work? why don't it select ip address of given bind
> interface? Because of this SO_BINDTODEVICE may not work as expected.

Hmm, not sure, but last time I looked ping6 did not do SO_BINDTODEVICE
at all and I doubt it changed. It merely sets outgoing interface index
in cmsg PKTINFO data.

Semantically those are not the same. Interface index on global
destination addresses is only advisory, no strict routing lookup will be
done.

Bye,
Hannes

Re: IPv6 Policy based routing not working.

[Tushar Shinde]

So do we need to always use ipv6 address to bind unlike ipv4?

Tushar

On Wed, Aug 27, 2014 at 11:25 AM, Hannes Frederic Sowa
<hannes@stressinduktion.org> wrote:
> On Mi, 2014-08-27 at 10:24 +0530, Tushar Shinde wrote:
>> Hi Hannes,
>>
>> Thank you for reply.
>>
>> I tested it will 2 kernels 2.6.32-431.11.2.el6.x86_64, and ubuntu
>> 14.04 kernel 3.13.
>>
>> ping6 -I <IPv6 src ip> <dest> is working. I also verified ssh with -b working.
>>
>> So my question is, is it necessary to give bind address to make source
>> based routing work? why don't it select ip address of given bind
>> interface? Because of this SO_BINDTODEVICE may not work as expected.
>
> Hmm, not sure, but last time I looked ping6 did not do SO_BINDTODEVICE
> at all and I doubt it changed. It merely sets outgoing interface index
> in cmsg PKTINFO data.
>
> Semantically those are not the same. Interface index on global
> destination addresses is only advisory, no strict routing lookup will be
> done.
>
> Bye,
> Hannes
>
>

Re: IPv6 Policy based routing not working.

[Hannes Frederic Sowa]

On Mi, 2014-08-27 at 11:32 +0530, Tushar Shinde wrote:
> So do we need to always use ipv6 address to bind unlike ipv4?

No, I think SO_BINDTODEVICE should work. But ping6 does not use it, so
one could add support for this to ping with a new option.

ping6 uses cmsg with undefined ipv6 source address but set ifindex and
that's not at all like SO_BINDTODEVICE.

Bye,
Hannes

Re: IPv6 Policy based routing not working.

[Tushar Shinde]

ping6 command uses SO_BINDTODEVICE but it looks it is not working. The
source address in fib6 rule match is 0:::0

strace ping6 -I eth0 2001:2::20 2> t
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "eth0\0", 5) = 0
connect(4, {sa_family=AF_INET6, sin6_port=htons(1025),
inet_pton(AF_INET6, "2001:2::20", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)

I think there is problem with so_binddevice. need to dig further.

Tushar




On Wed, Aug 27, 2014 at 11:35 AM, Hannes Frederic Sowa
<hannes@stressinduktion.org> wrote:
> On Mi, 2014-08-27 at 11:32 +0530, Tushar Shinde wrote:
>> So do we need to always use ipv6 address to bind unlike ipv4?
>
> No, I think SO_BINDTODEVICE should work. But ping6 does not use it, so
> one could add support for this to ping with a new option.
>
> ping6 uses cmsg with undefined ipv6 source address but set ifindex and
> that's not at all like SO_BINDTODEVICE.
>
> Bye,
> Hannes
>
>

Re: IPv6 Policy based routing not working.

[Hannes Frederic Sowa]

On Mi, 2014-08-27 at 19:11 +0530, Tushar Shinde wrote:
> ping6 command uses SO_BINDTODEVICE but it looks it is not working. The
> source address in fib6 rule match is 0:::0
> 
> strace ping6 -I eth0 2001:2::20 2> t
> socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 4
> setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "eth0\0", 5) = 0
> connect(4, {sa_family=AF_INET6, sin6_port=htons(1025),
> inet_pton(AF_INET6, "2001:2::20", &sin6_addr), sin6_flowinfo=0,
> sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)

$ strace ping6 -c1 -I em1 ::  |& grep SO_BINDTODEVICE
$

Strange, I have a look... thanks!