add options useful for more involved PBR setups#70
Open
yogo1212 wants to merge 3 commits intoopenwrt:masterfrom
Open
add options useful for more involved PBR setups#70yogo1212 wants to merge 3 commits intoopenwrt:masterfrom
yogo1212 wants to merge 3 commits intoopenwrt:masterfrom
Conversation
yogo1212
force-pushed
the
pbr_options
branch
4 times, most recently
from
3d2c229 to
92bf9d8
Compare
This allows to use the generated table for reverse routes. Otherwise, non-local routes (like the default route) can "eat" return flow traffic and send it, e.g., back towards the internet. Two new options 'ip4table_local' and 'ip6table_local' can be used to enable this feature. They default to their ipXtable counterparts for backwards-compatability. A parameter boolean parameter 'local' has been added to 'interface_set_route_info' in order to split routes into the corresponding table. The parameter is set per call-site to reflect 'quasi' link scope (local addresses/delegated prefixes). IPRULE_PRIORITY_NW is moved up by 5000 to make room for the local routes. Similarly, IPRULE_PRIORITY_ADDR_NL is created to hold non-local routes. Again, this help control precedence as both local and non-local tables would share the same priority otherwise. Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Author
|
ipv6 routes are "generic" in the current setup. adding a distinction based on whether or not |
Author
|
and i missed the rules emitted for ipv6 delegated prefixes.. |
Without this patch, setups with overlapping address ranges across multiple interfaces have non-deterministic routing behaviour. The new option allows users to set up their own rules, for instance, matching on fwmark or iif in addition to the address. Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Runtime changes to `metric`, `no_defaultroute`, `disable_addr_rules`, and
the `ip{4,6}table{,_local}` options can lead to various routes and rules
being leaked.
Instead of updating to the new value right away, mark `reload_ip` first,
then do the teardown, change the value, and finally set everything up
again.
For the broader `reload` case, it works the same. Explicit teardown was
added in order to avoid having to 'inject' the changing values into
farther-away code (the async case with `mark_interface_down` is
particularly gnarly).
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Author
|
ok. now ipv6 looks good as well. |
Author
|
i'm realizing i should point one thing out that wasn't important enough for me to put into the commit message: to keep the logic consistent, so, it is required to set it on a ipv6 downstream to disable addr rules for ipv6: |
yogo1212
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
before this patch, there were also route leaks on runtime changes to
metricandno_defaultroute.the options are added with similar leaks being possible.
in a final commit, a mechanism is added for fixing existing and newly-added leaks.
please let me know if you want that decoupled (fixing the leaks first and then adding the options with the new update mechanism).
see the commit messages for details.