[OpenWrt-Devel] How to properly add an unreachable route
On 12/07/14 20:10, Dave Taht wrote: I have been trying to simplify my babel setup. I have 8 /27s out of a single /24 that I would like not to have to expose to the universe. I have 172.21.2.0/27, 172.21.2.64/27 etc on each of the 8 devices I have. But there is no need to export each /27, as these are out of a single /24. The way to do that is to setup /etc/babel.conf to only let /24s out... redistribute ip 0.0.0.0/0 le 24 allow redistribute local deny (this can also easily be expressed in the /etc/config/babeld file) And at the moment, I add this to /etc/firewall.user to add the covering route locally. ip route add unreachable 172.21.2.0/24 proto static Boom, I go from exporting 16 routes to 1. Where I'm stuck is on how to express the above line inside of uci and luci. Luci demands both a specific interface name and a numeric destination, if you are trying this via the route method. If you try the otherwise promising uci newfangled rule method by adding something like this to /etc/config/network config rule option dest '172.21.2.0/24' option action 'unreachable' You end up bricking the router's network setup. mmh.. this is how i set it up with ip on a debian system ip -6 route add unreachable 2a00:1508:1:f000::/52 and then i add the smaller, more specific prefixes (/64) that i actually use. maybe adding a *rule* with action unreachable has an earlier precedence, and more specific routes will never be read? citing openwrt wiki: action unreachable: When reaching the rule, respond with ICMP unreachable messages and abort route lookup sadly, i don't see how an unreachable type route could be configured via uci. It seems the config route section is limited to unicast type routes. The config route uci section supports unicast, local, broadcast, multicast routes by means of the uci route parameter type. This is not yet documented on the wiki as this support has only been recently enabled in the netifd trunk version. Having said that there's no support yet for unreachable, blackhole routes as routes are tied to an interface in uci. Agree this would be an usefull extension of the uci route feature set; will have a look at it in the near future $ ip -6 route help Usage: [snip] ip route { add | del | change | append | replace } ROUTE [snip] TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ] so, going back to the rule way, maybe try adding first specific rules that allow routes to be looked up, and add the unreachable action at the end? config rule option dest '172.21.2.32/27' option lookup 'main' config rule option dest '172.21.2.0/24' option action 'unreachable' i'm just hypothesizing, tho cheers!! http://wiki.openwrt.org/doc/uci/network#routing.actions ___ openwrt-devel mailing list openwrt-devel at lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] How to properly add an unreachable route?
I have been trying to simplify my babel setup. I have 8 /27s out of a single /24 that I would like not to have to expose to the universe. I have 172.21.2.0/27, 172.21.2.64/27 etc on each of the 8 devices I have. But there is no need to export each /27, as these are out of a single /24. The way to do that is to setup /etc/babel.conf to only let /24s out... redistribute ip 0.0.0.0/0 le 24 allow redistribute local deny (this can also easily be expressed in the /etc/config/babeld file) And at the moment, I add this to /etc/firewall.user to add the covering route locally. ip route add unreachable 172.21.2.0/24 proto static Boom, I go from exporting 16 routes to 1. Where I'm stuck is on how to express the above line inside of uci and luci. Luci demands both a specific interface name and a numeric destination, if you are trying this via the route method. If you try the otherwise promising uci newfangled rule method by adding something like this to /etc/config/network config rule option dest '172.21.2.0/24' option action 'unreachable' You end up bricking the router's network setup. http://wiki.openwrt.org/doc/uci/network#routing.actions ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] How to properly add an unreachable route?
On 12/07/14 20:10, Dave Taht wrote: I have been trying to simplify my babel setup. I have 8 /27s out of a single /24 that I would like not to have to expose to the universe. I have 172.21.2.0/27, 172.21.2.64/27 etc on each of the 8 devices I have. But there is no need to export each /27, as these are out of a single /24. The way to do that is to setup /etc/babel.conf to only let /24s out... redistribute ip 0.0.0.0/0 le 24 allow redistribute local deny (this can also easily be expressed in the /etc/config/babeld file) And at the moment, I add this to /etc/firewall.user to add the covering route locally. ip route add unreachable 172.21.2.0/24 proto static Boom, I go from exporting 16 routes to 1. Where I'm stuck is on how to express the above line inside of uci and luci. Luci demands both a specific interface name and a numeric destination, if you are trying this via the route method. If you try the otherwise promising uci newfangled rule method by adding something like this to /etc/config/network config rule option dest '172.21.2.0/24' option action 'unreachable' You end up bricking the router's network setup. mmh.. this is how i set it up with ip on a debian system ip -6 route add unreachable 2a00:1508:1:f000::/52 and then i add the smaller, more specific prefixes (/64) that i actually use. maybe adding a *rule* with action unreachable has an earlier precedence, and more specific routes will never be read? citing openwrt wiki: action unreachable: When reaching the rule, respond with ICMP unreachable messages and abort route lookup sadly, i don't see how an unreachable type route could be configured via uci. It seems the config route section is limited to unicast type routes. $ ip -6 route help Usage: [snip] ip route { add | del | change | append | replace } ROUTE [snip] TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ] so, going back to the rule way, maybe try adding first specific rules that allow routes to be looked up, and add the unreachable action at the end? config rule option dest '172.21.2.32/27' option lookup 'main' config rule option dest '172.21.2.0/24' option action 'unreachable' i'm just hypothesizing, tho cheers!! http://wiki.openwrt.org/doc/uci/network#routing.actions ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel