routing: do not allow PINNED routes to be overridden
ClosedPublic
Actions

Authored by ae on Jan 24 2025, 9:01 AM.

Details

Reviewers

melifaro
glebius

Group Reviewers

network

Commits

rGb297093ebab6: routing: do not allow PINNED routes to be overriden
rG01ade56eba14: routing: do not allow PINNED routes to be overriden
rG361a8395f0b0: routing: do not allow PINNED routes to be overriden

Summary

First configured PINNED routes should have higher priority.
This also should fix test_routing_l3 that is broken after D47534.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 61973
Build 58857: arc lint + arc unit

Event Timeline

ae created this revision.Jan 24 2025, 9:01 AM

ae held this revision as a draft.

Herald added a reviewer: melifaro. · View Herald TranscriptJan 24 2025, 9:01 AM

Herald added subscribers: glebius, melifaro, imp. · View Herald Transcript

Harbormaster completed remote builds in B61972: Diff 149864.Jan 24 2025, 9:01 AM

Simplify the check.

Harbormaster completed remote builds in B61973: Diff 149865.Jan 24 2025, 9:07 AM

ae published this revision for review.Jan 24 2025, 9:08 AM

ae added reviewers: glebius, network.

Thank you for taking a look at this!
Not only it fixes D47534, it also does not break D47585 (introduce a regression).

This change addresses the failing test, but there's a new failure in sys/netinet/fibs_test:same_ip_multiple_ifaces_fib0. The test creates two interfaces, then assigns the same IP address to each, with different masks. With this change, the second address assignment fails with EEXIST.

I'm not sure if that's actually a valid thing to do in practice; see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189089 . Maybe @asomers remembers?

In D48650#1109739, @markj wrote:

This change addresses the failing test, but there's a new failure in sys/netinet/fibs_test:same_ip_multiple_ifaces_fib0. The test creates two interfaces, then assigns the same IP address to each, with different masks. With this change, the second address assignment fails with EEXIST.

I'm not sure if that's actually a valid thing to do in practice; see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189089 . Maybe @asomers remembers?

At the time I wrote that test, I was doing a bunch of changes to make multiple fibs work better. Not just for firewalls, but for applications. I'm sure that my then-employer didn't have a use case for assigning the same IP address to multiple interfaces on the same fib at the same time. I probably found the crash bug just through exploratory testing. And I think that the purpose of the test was just to ensure that the system didn't panic.

jlduran mentioned this in D48902: tests: Guard against testing without scapy.Feb 10 2025, 10:15 PM

This revision was not accepted when it landed; it landed in state Needs Review.Sun, Mar 2, 10:57 AM

Closed by commit rG361a8395f0b0: routing: do not allow PINNED routes to be overriden (authored by ae). · Explain Why

This revision was automatically updated to reflect the committed changes.

ae added a commit: rG361a8395f0b0: routing: do not allow PINNED routes to be overriden.

ae added a commit: rG01ade56eba14: routing: do not allow PINNED routes to be overriden.Tue, Mar 18, 9:11 AM

ae added a commit: rGb297093ebab6: routing: do not allow PINNED routes to be overriden.