Source routing without rules?

Source routing without rules?

[Andy Lutomirski]

I'm about to implement a trivial source routing policy for the third
time, and this is IMO stupid.  I want to have two routes to a network.
 Each route should specify a src, and, if the flow matches the src,
then that route should win.

The rules that don't work are:

ip route add <net> via <gw1> dev <dev1> metric 0
ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10

Even if I bind a socket to dev2addr, the outgoing packets go out dev1
to gw1.  This is exactly what I don't want to have happen.

This would fix it:

ip route add <net> via <gw1> dev <dev1> src <dev1addr> metric 0 match_src
ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10

The semantics of match_src would be that, if set, the route only
matches if the flow has no assigned source address or if the assigned
source address matches.

(Also, if SO_BINDTODEVICE didn't require privilege, that would already
work.  Should there be a sysctl to allow anyone to use
SO_BINDTODEVICE?)

--Andy

Re: Source routing without rules?

[Brian Haley]

On 08/27/2013 08:16 PM, Andy Lutomirski wrote:
> I'm about to implement a trivial source routing policy for the third
> time, and this is IMO stupid.  I want to have two routes to a network.
>  Each route should specify a src, and, if the flow matches the src,
> then that route should win.
> 
> The rules that don't work are:
> 
> ip route add <net> via <gw1> dev <dev1> metric 0
> ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10
> 
> Even if I bind a socket to dev2addr, the outgoing packets go out dev1
> to gw1.  This is exactly what I don't want to have happen.

Look at this page on routing rules:

http://lartc.org/howto/lartc.rpdb.html

-Brian

Re: Source routing without rules?

[Hannes Frederic Sowa]

On Tue, Aug 27, 2013 at 05:16:21PM -0700, Andy Lutomirski wrote:
> I'm about to implement a trivial source routing policy for the third
> time, and this is IMO stupid.  I want to have two routes to a network.
>  Each route should specify a src, and, if the flow matches the src,
> then that route should win.
> 
> The rules that don't work are:
> 
> ip route add <net> via <gw1> dev <dev1> metric 0
> ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10

src is actually the preferred src address. In ipv6 land there is a RTA_SRC
(look for ip route *from* parameter) route attribute settable to only
select routes if the from-source matches the route. If you implement
such a feature I would go with the same design (IPV6_SUBTREES).

Greetings,

  Hannes

Re: Source routing without rules?

[Andy Lutomirski]

On Tue, Aug 27, 2013 at 5:57 PM, Brian Haley <brian.haley@hp.com> wrote:
> On 08/27/2013 08:16 PM, Andy Lutomirski wrote:
>> I'm about to implement a trivial source routing policy for the third
>> time, and this is IMO stupid.  I want to have two routes to a network.
>>  Each route should specify a src, and, if the flow matches the src,
>> then that route should win.
>>
>> The rules that don't work are:
>>
>> ip route add <net> via <gw1> dev <dev1> metric 0
>> ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10
>>
>> Even if I bind a socket to dev2addr, the outgoing packets go out dev1
>> to gw1.  This is exactly what I don't want to have happen.
>
> Look at this page on routing rules:
>
> http://lartc.org/howto/lartc.rpdb.html

Been there, done that.  I want to do this in a way that's easy and
scalable, and rules are neither.

--Andy

Re: Source routing without rules?

[Andy Lutomirski]

On Tue, Aug 27, 2013 at 6:14 PM, Hannes Frederic Sowa
<hannes@stressinduktion.org> wrote:
> On Tue, Aug 27, 2013 at 05:16:21PM -0700, Andy Lutomirski wrote:
>> I'm about to implement a trivial source routing policy for the third
>> time, and this is IMO stupid.  I want to have two routes to a network.
>>  Each route should specify a src, and, if the flow matches the src,
>> then that route should win.
>>
>> The rules that don't work are:
>>
>> ip route add <net> via <gw1> dev <dev1> metric 0
>> ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10
>
> src is actually the preferred src address. In ipv6 land there is a RTA_SRC
> (look for ip route *from* parameter) route attribute settable to only
> select routes if the from-source matches the route. If you implement
> such a feature I would go with the same design (IPV6_SUBTREES).

Interesting.  The Kconfig help text for IPV6_SUBTREES is incredibly
confusing.  What are the actual semantics?  I'm guessing that only
routes that match the source address in their "from" clause are
considered and ties are broken in favor of the longest from prefix.

This is considerably more complicated than my suggestion, but it's
also more powerful.  Implementing this will require actually
understanding how the trie code works :/

--Andy

Re: Source routing without rules?

[Hannes Frederic Sowa]

On Tue, Aug 27, 2013 at 06:46:35PM -0700, Andy Lutomirski wrote:
> On Tue, Aug 27, 2013 at 6:14 PM, Hannes Frederic Sowa
> <hannes@stressinduktion.org> wrote:
> > On Tue, Aug 27, 2013 at 05:16:21PM -0700, Andy Lutomirski wrote:
> >> I'm about to implement a trivial source routing policy for the third
> >> time, and this is IMO stupid.  I want to have two routes to a network.
> >>  Each route should specify a src, and, if the flow matches the src,
> >> then that route should win.
> >>
> >> The rules that don't work are:
> >>
> >> ip route add <net> via <gw1> dev <dev1> metric 0
> >> ip route add <net> via <gw2> dev <dev2> src <dev2addr> metric 10
> >
> > src is actually the preferred src address. In ipv6 land there is a RTA_SRC
> > (look for ip route *from* parameter) route attribute settable to only
> > select routes if the from-source matches the route. If you implement
> > such a feature I would go with the same design (IPV6_SUBTREES).
> 
> Interesting.  The Kconfig help text for IPV6_SUBTREES is incredibly
> confusing.  What are the actual semantics?  I'm guessing that only
> routes that match the source address in their "from" clause are
> considered and ties are broken in favor of the longest from prefix.

At first normal longest-prefix lookup is done with the destination
address. The resulting fib6_node can now hold a subtree where a source
lookup will be done. If a node matches, this is the result. Otherwise
backtracking takes place in the "main" fib6_table.

Greetings,

  Hannes