Re: [Babel-users] How to properly add an unreachable route?

[Dave Taht]

so I'm still trying with a better set of defaults, filtering out the /27s in
cerowrt... I asked the openwrt list how to do it right in uci (below)...

And something that makes my head hurt is dealing with exporting or not
exporting the default static route installed by dhcp, along with just
exporting the covering route.

So, ok: I presently do this in /etc/firewall.user

ip route add unreachable 172.21.2.0/24 proto static

And in babeld.conf

1) Does this also export the default route? (not what I want by default)

redistribute ip 0.0.0.0/0 le 24 allow
redistribute local deny

(In internal gateways I usually turn off fetching the default route via dhcp,
 but I want a default setup that works right in all cases, and that
sadly includes default routes set by dhcp)

2) Will this correctly export the default route if I changed it to
allow? If a box isn't a default gateway should I put in a specific
deny or allow line? Or use eq as I just did? or?

redistribute ip 0.0.0.0/0 eq 0 deny
redistribute ip 0.0.0.0/0 le 24 allow
redistribute local deny

On Sat, Jul 12, 2014 at 4:10 PM, Dave Taht dave.t...@bufferbloat.net wrote:
 I have been trying to simplify my babel setup. I have
 8 /27s out of a single /24 that I would like not
 to have to expose to the universe.

 I have 172.21.2.0/27, 172.21.2.64/27 etc
 on each of the 8 devices I have.

 But there is no need to export each /27, as these
 are out of a single /24.

 The way to do that is to setup /etc/babel.conf to only
 let /24s out...

 redistribute ip 0.0.0.0/0 le 24 allow
 redistribute local deny

 (this can also easily be expressed in the /etc/config/babeld
  file)

 And at the moment, I add this to /etc/firewall.user
 to add the covering route locally.

 ip route add unreachable 172.21.2.0/24 proto static

 Boom, I go from exporting 16 routes to 1.

 Where I'm stuck is on how to express the above line
 inside of uci and luci. Luci demands both a specific
 interface name and a numeric destination, if you are
 trying this via the route method.

 If you try the otherwise promising uci newfangled rule method
 by adding something like this to /etc/config/network

 config rule
 option dest   '172.21.2.0/24'
 option action 'unreachable'

 You end up bricking the router's network setup.

 http://wiki.openwrt.org/doc/uci/network#routing.actions



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Babel-users mailing list
Babel-users@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users

Re: [Babel-users] How to properly add an unreachable route?

[Juliusz Chroboczek]

 1) Does this also export the default route? (not what I want by default)

 redistribute ip 0.0.0.0/0 le 24 allow
 redistribute local deny

Depends on how the DHCP server is installing the route.  If it's using the
boot protocol, as it should, Babel will ignore it by default.  In any
case, you can force ignoring the default route by adding the following
*before* the allow:

  redistribute ip 0.0.0.0/0 le 0 deny

 2) Will this correctly export the default route if I changed it to
 allow? If a box isn't a default gateway should I put in a specific
 deny or allow line? Or use eq as I just did? or?

 redistribute ip 0.0.0.0/0 eq 0 deny
 redistribute ip 0.0.0.0/0 le 24 allow
 redistribute local deny

No.  If the DHCP server is doing its job properly, it's marking its routes
with the protocol boot, which is a hint to proper routing protocols to
ignore the route.

Redistributing a DHCP route over a roting protocol is not robust network
design -- DHCP should be announcing routes derived from a routing protocol,
not the other way around.  However, support for redistributing in the DHCP
to Babel direction was grudgingly added after enough users asked for the
feature (yeah, I know, I'm weak):

  redistribute ip 0.0.0.0/0 le 0 proto 3 allow

(When you don't mention a proto number, the redistribution is taken to
apply to all proto numbers except 3.)

-- Juliusz

___
Babel-users mailing list
Babel-users@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users