[OpenWrt-Devel] How to properly add an unreachable route
On 12/07/14 20:10, Dave Taht wrote:
I have been trying to simplify my babel setup. I have
8 /27s out of a single /24 that I would like not
to have to expose to the universe.
I have 172.21.2.0/27, 172.21.2.64/27 etc
on each of the 8 devices I have.
But there is no need to export each /27, as these
are out of a single /24.
The way to do that is to setup /etc/babel.conf to only
let /24s out...
redistribute ip 0.0.0.0/0 le 24 allow
redistribute local deny
(this can also easily be expressed in the /etc/config/babeld
file)
And at the moment, I add this to /etc/firewall.user
to add the covering route locally.
ip route add unreachable 172.21.2.0/24 proto static
Boom, I go from exporting 16 routes to 1.
Where I'm stuck is on how to express the above line
inside of uci and luci. Luci demands both a specific
interface name and a numeric destination, if you are
trying this via the route method.
If you try the otherwise promising uci newfangled rule method
by adding something like this to /etc/config/network
config rule
option dest '172.21.2.0/24'
option action 'unreachable'
You end up bricking the router's network setup.
mmh..
this is how i set it up with ip on a debian system
ip -6 route add unreachable 2a00:1508:1:f000::/52
and then i add the smaller, more specific prefixes (/64) that i actually
use.
maybe adding a *rule* with action unreachable has an earlier precedence,
and more specific routes will never be read?
citing openwrt wiki: action unreachable: When reaching the rule,
respond with ICMP unreachable messages and abort route lookup
sadly, i don't see how an unreachable type route could be configured
via uci. It seems the config route section is limited to unicast
type routes.
The config route uci section supports unicast, local, broadcast,
multicast routes by means of the uci route parameter type.
This is not yet documented on the wiki as this support has only been
recently enabled in the netifd trunk version.
Having said that there's no support yet for unreachable, blackhole
routes as routes are tied to an interface in uci.
Agree this would be an usefull extension of the uci route feature set;
will have a look at it in the near future
$ ip -6 route help
Usage:
[snip]
ip route { add | del | change | append | replace } ROUTE
[snip]
TYPE := [ unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat ]
so, going back to the rule way, maybe try adding first specific rules
that allow routes to be looked up, and add the unreachable action at
the end?
config rule
option dest '172.21.2.32/27'
option lookup 'main'
config rule
option dest '172.21.2.0/24'
option action 'unreachable'
i'm just hypothesizing, tho
cheers!!
http://wiki.openwrt.org/doc/uci/network#routing.actions
___
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] How to properly add an unreachable route?
I have been trying to simplify my babel setup. I have 8 /27s out of a single /24 that I would like not to have to expose to the universe. I have 172.21.2.0/27, 172.21.2.64/27 etc on each of the 8 devices I have. But there is no need to export each /27, as these are out of a single /24. The way to do that is to setup /etc/babel.conf to only let /24s out... redistribute ip 0.0.0.0/0 le 24 allow redistribute local deny (this can also easily be expressed in the /etc/config/babeld file) And at the moment, I add this to /etc/firewall.user to add the covering route locally. ip route add unreachable 172.21.2.0/24 proto static Boom, I go from exporting 16 routes to 1. Where I'm stuck is on how to express the above line inside of uci and luci. Luci demands both a specific interface name and a numeric destination, if you are trying this via the route method. If you try the otherwise promising uci newfangled rule method by adding something like this to /etc/config/network config rule option dest '172.21.2.0/24' option action 'unreachable' You end up bricking the router's network setup. http://wiki.openwrt.org/doc/uci/network#routing.actions ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] How to properly add an unreachable route?
On 12/07/14 20:10, Dave Taht wrote:
I have been trying to simplify my babel setup. I have
8 /27s out of a single /24 that I would like not
to have to expose to the universe.
I have 172.21.2.0/27, 172.21.2.64/27 etc
on each of the 8 devices I have.
But there is no need to export each /27, as these
are out of a single /24.
The way to do that is to setup /etc/babel.conf to only
let /24s out...
redistribute ip 0.0.0.0/0 le 24 allow
redistribute local deny
(this can also easily be expressed in the /etc/config/babeld
file)
And at the moment, I add this to /etc/firewall.user
to add the covering route locally.
ip route add unreachable 172.21.2.0/24 proto static
Boom, I go from exporting 16 routes to 1.
Where I'm stuck is on how to express the above line
inside of uci and luci. Luci demands both a specific
interface name and a numeric destination, if you are
trying this via the route method.
If you try the otherwise promising uci newfangled rule method
by adding something like this to /etc/config/network
config rule
option dest '172.21.2.0/24'
option action 'unreachable'
You end up bricking the router's network setup.
mmh..
this is how i set it up with ip on a debian system
ip -6 route add unreachable 2a00:1508:1:f000::/52
and then i add the smaller, more specific prefixes (/64) that i actually
use.
maybe adding a *rule* with action unreachable has an earlier precedence,
and more specific routes will never be read?
citing openwrt wiki: action unreachable: When reaching the rule,
respond with ICMP unreachable messages and abort route lookup
sadly, i don't see how an unreachable type route could be configured
via uci. It seems the config route section is limited to unicast
type routes.
$ ip -6 route help
Usage:
[snip]
ip route { add | del | change | append | replace } ROUTE
[snip]
TYPE := [ unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat ]
so, going back to the rule way, maybe try adding first specific rules
that allow routes to be looked up, and add the unreachable action at
the end?
config rule
option dest '172.21.2.32/27'
option lookup 'main'
config rule
option dest '172.21.2.0/24'
option action 'unreachable'
i'm just hypothesizing, tho
cheers!!
http://wiki.openwrt.org/doc/uci/network#routing.actions
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
