fibnum2.diff (Re: per-FIB socket binding)
- Reply: Mark Johnston : "Re: fibnum2.diff (Re: per-FIB socket binding)"
- In reply to: Mark Johnston : "Re: per-FIB socket binding"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 18 Feb 2025 05:16:07 UTC
this is the second fibnum patch, which replaces (doesn't add to) the first. some blanks/tabs/margins lint was incidentally fixed, a few comments were added, the API of several existing functions was changed, and some wrappers were added to others. as explained inline below, this handles both TCP and UDP listeners now. i did not add an SO_FIB operator nor shim SO_SETFIB since those are independent of this socket-related work, needed to get path symmetry for shell-related listeners like sshd. comments, questions, and especially testing results would be very welcome. vixie --- On Monday, January 6, 2025 3:56:55 PM UTC Mark Johnston wrote: > On Fri, Dec 27, 2024 at 08:48:48AM +0000, Paul Vixie wrote: > > On Tuesday, December 24, 2024 3:34:45 AM UTC Santiago Martinez wrote: > > > here’s another user of fibs. Each of our servers have multiple fibs and > > > jails with fibs. I like the proposed. > > > > On Tuesday, December 24, 2024 5:06:32 AM UTC Jamie Landeg-Jones wrote: > > > I like that. I isolate 5 seperate networks by assigning a fib to each > > > interface, and was initially surprised that I had to jump through ipfw > > > hoops to get it to work properly, in fact at the end of my ipfw rules > > > for these interfaces, just to guarantee no leaking, ... > > > > > > So, yes, I agree that it's crocky, and your proposal is how I originally > > > expected it to work, and indeed, I can so no reason for it not to work > > > that way, but am prepared to be enlightened if anyone else has an > > > opinion on this. > > > > Groovy. See attached patch. This is just for TCP since I have no way to > > test SCTP and I think UDP will have to be handled at the application > > layer. There are two one line changes here. i was wrong, UDP doesn't need application layer changes. this patch is longer than the first one, since it (1) does TCP in the way mark johnston suggested, (2) also handles UDP, and (3) is tested against 14.2-P1 now although that didn't change the patch. for what it's worth SCTP looks simple but i really think it should be patched later by someone who can test it. (On Monday, January 6, 2025 3:56:55 PM UTC Mark Johnston wrote:) > One side effect of the patch is that a service listening in FIB 0 that > has no route to the source address of a connection attempt from a > different FIB would previously not accept such a connection, but now it > will. Perhaps that's drastic enough to warrant a sysctl and/or sockopt > to control this behaviour. i hope not. moving from unintentional configuration-dependent failure to unintentional configuration-dependent success is not a change that freebsd usually optionalizes. > It would be better to pass the fibnum to solisten_clone() and assign it > there. Otherwise, the value of so_fibnum will be wrong for a short > window during which the socket is passed to MAC and other hooks, which > might have some surprising effects. done. -- Paul Vixie