[OpenWrt-Devel] How to properly add an unreachable route
Hans Dedecker
dedeckeh at gmail.com
Sun Jul 13 08:17:20 EDT 2014
>On 12/07/14 20:10, Dave Taht wrote:
>> I have been trying to simplify my babel setup. I have
>> 8 /27s out of a single /24 that I would like not
>> to have to expose to the universe.
>>
>> I have 172.21.2.0/27, 172.21.2.64/27 etc
>> on each of the 8 devices I have.
>>
>> But there is no need to export each /27, as these
>> are out of a single /24.
>>
>> The way to do that is to setup /etc/babel.conf to only
>> let /24s out...
>>
>> redistribute ip 0.0.0.0/0 le 24 allow
>> redistribute local deny
>>
>> (this can also easily be expressed in the /etc/config/babeld
>> file)
>>
>> And at the moment, I add this to /etc/firewall.user
>> to add the covering route locally.
>>
>> ip route add unreachable 172.21.2.0/24 proto static
>>
>> Boom, I go from exporting 16 routes to 1.
>>
>> Where I'm stuck is on how to express the above line
>> inside of uci and luci. Luci demands both a specific
>> interface name and a numeric destination, if you are
>> trying this via the route method.
>>
>> If you try the otherwise promising uci newfangled "rule" method
>> by adding something like this to /etc/config/network
>>
>> config rule
>> option dest '172.21.2.0/24'
>> option action 'unreachable'
>>
>> You end up bricking the router's network setup.
>
>mmh..
>
>this is how i set it up with "ip" on a debian system
>
> ip -6 route add unreachable 2a00:1508:1:f000::/52
>
>and then i add the smaller, more specific prefixes (/64) that i actually
>use.
>
>maybe adding a *rule* with action unreachable has an earlier precedence,
>and more specific routes will never be read?
>
>citing openwrt wiki: "action unreachable: When reaching the rule,
>respond with ICMP unreachable messages and abort route lookup"
>
>sadly, i don't see how an "unreachable" type route could be configured
>via uci. It seems the "config route" section is limited to "unicast"
>type routes.
The "config route" uci section supports unicast, local, broadcast,
multicast routes by means of the uci route parameter type.
This is not yet documented on the wiki as this support has only been
recently enabled in the netifd trunk version.
Having said that there's no support yet for unreachable, blackhole
routes as routes are tied to an interface in uci.
Agree this would be an usefull extension of the uci route feature set;
will have a look at it in the near future
>
>$ ip -6 route help
>Usage:
>[snip]
> ip route { add | del | change | append | replace } ROUTE
>[snip]
>TYPE := [ unicast | local | broadcast | multicast | throw |
> unreachable | prohibit | blackhole | nat ]
>
>so, going back to the "rule" way, maybe try adding first specific rules
>that allow routes to be looked up, and add the "unreachable" action at
>the end?
>
>config rule
> option dest '172.21.2.32/27'
> option lookup 'main'
>
>config rule
> option dest '172.21.2.0/24'
> option action 'unreachable'
>
>i'm just hypothesizing, tho
>
>cheers!!
>
>>
>> http://wiki.openwrt.org/doc/uci/network#routing.actions
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list