"gw" attribute assignment in filter invalidates routes learned via BGP, static, and possibly others?

Sergey Popovich popovich_sergei at mail.ru
Tue Aug 13 16:31:33 CEST 2013


В письме от 13 августа 2013 16:25:14 Вы написали:
 
> The patch does not make sense to me - if user sets 'gw' attribute, BIRD
> should set immediate nexthop of the route, not setup a route with a
> recursive nexthop - that would be inconsistent, because reading of 'gw'
> attribute returns the immediate nexhop and not the recursive nexthop of
> a route.

Thaks, now I understand why. At least I try to fix problem by myself.

> The attached patch should do that (essentially just lookup iface,
> fix it and force the route to RTD_ROUTER in case of setting 'gw').
> Is this OK for you?
> 

Yes, thaks. Patch works as expected.


> 
> Thanks for the thorough explanation. I am surprised that route to a Linux
> dummy interface works like that, i always thought that dummy interface
> would behave more like an ethernet with nothing connected on it than
> like a loopback (therefore you would get ICMP Destination unreachable
> instead of TTL exceeded), but i didn't tested that.
> 

Sorry I dont have in mind to confuse you, really dummy interface is more
like ethernet interface with nothing attached to it, nothing is looped back 
from it (nothing received actually). Anything sent to dummy interface simply 
discarded as with blackhole route, but no neighbor resolution (ARP, NDP) done 
on it, and general routing rules applied to it, like any other network 
interface, that makes it different from blackhole route.

But network stack generates ICMP TTL Exceeded when it receives datagram
destined on subnet configured on dummy interface, but cant forward to dummy 
interface because TTL is 1, and thus generaing ICMP TTL Exceeded.

Using dummy interfce for blackholing seems simple and elegant solution:-).

> And why not just use RTD_UNREACHABLE or RTD_PROHIBIT? Both would return
> some ICMP message.

Well, this could be solution, for just terminating address space, where 
packets for all currently not used addresses directed to common route 
(summary) that generates ICMP. However due do ICMP rate limiting in kernel
for certrain ICMP types that might introduce unwanted looses then sending
to these routes.

But not under DDoS where we prefer not to answer in any way (even kernel 
network stack limit rate of ICMP Dest Unrach, and ICMP Admin Prohibited 
messages).

-- 
SP5474-RIPE
Sergey Popovich



More information about the Bird-users mailing list