* YOSHIFUJI Hideaki / ?$B5HF#1QL@ <[EMAIL PROTECTED]> 2006-10-17 20:00 > In article <[EMAIL PROTECTED]> (at Tue, 17 Oct 2006 12:14:02 +0200), Thomas > Graf <[EMAIL PROTECTED]> says: > > > * Ville Nuorvala <[EMAIL PROTECTED]> 2006-10-17 03:27 > > > @@ -123,7 +111,7 @@ static int fib6_rule_match(struct fib_ru > > > return 0; > > > > > > if (r->src.plen) { > > > - if (!(flags & RT6_LOOKUP_F_HAS_SADDR) || > > > + if (flags & RT6_LOOKUP_F_HAS_SADDR && > > > !ipv6_prefix_equal(&fl->fl6_src, &r->src.addr, r->src.plen)) > > > return 0; > > > } > > > > This is wrong, rules matching on a source prefix must fail if no > > source address is available. > > Why?
Because otherwise a rule containing only a source prefix match is equivalent to a catch-all rule for all lookups not providing a source address. An example: Someone adding the rule ip rule add from 2001::1/128 unreachable results in _all_ lookups not providing a source address to resolve to unreachable which means that all source address lookups will fail. > Do you mean that we should decide source address before we look up > rule and route? Not necessarly, allowing route lookups with a "any" source address and delaying the source address selection is fine but the proposed way of achieving this is not working. > We have to allow users to use auto-bind; user may NOT supply a > source address for the packet. > Routing is done BEFORE the source address selection (RFC3484 Section 7). I'm sure you know the RFC better than I do but it is my opinion that the RFC is not very clear on this point and doesn't consider the side effects of policy routing and implementation specific problems at all. > We have rule for routing lookup with source address. To get consistent > result, > source address in the rule should be ignored when matching if user is not > supplied the source. Instead, we try finding appropriate source address > which is compliant to the rule. See the example in my first paragraph and you see this can't possibly work in its current form. The problem starts that both the routing decision and source address selection is both a routing decision sharing the same logic which are now conflicting as the behaviour for a "from ANY" requires different logic. In order to solve this, rules must be restricted to one of these paths, i.e. a rule intending to make certain prefixes unreachable may not apply to the source selection logic. This can be achieved using the 'reason' field I proposed in my netconf slides, it would allow turning the first rule example into rule add from 2001::1/128 for INPUT unreachable which would no longer apply when looking up the source address or deciding the outgoing route. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html