[CentOS] making a route sticky

Fri Aug 5 20:51:35 UTC 2005
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Les Mikesell <lesmikesell at gmail.com>:

> On Fri, 2005-08-05 at 14:59, Aleksandar Milivojevic wrote:
>
>> > This should give you an interface that looks real enough to run zebra
>> > with rip or ospf and at least in theory it should work the same with
>> > a cisco at the other end.
>>
>> I've just ran into one interesting problem with this approach.  Seems that
>> Netfilter is getting confused or something...  Or at least I wasn't 
>> been able
>> to make an usable config.
>
> Does ifconfig show the GRE tunnel as a PTP interface or something with
> a reasonable netmask?  If something is trying to figure out how to
> access it, you might want to make it look like a 4-host subnet
> (netmask 255.255.255.252) using the 2 usable addresses for the
> endpoints.

It showes up as PtP interface to itself (!?).  Strange, but seems to 
work. Well, at least as long as I don't have Netfilter enabled.

Basically, I configured GRE tunnel like this:

# ip tunnel add neta mode gre remote 1.2.3.4 local 4.3.2.1 ttl 255
# ip link set neta up
# ip addr add 10.0.0.2 dev neta
# ip route add 10.1.2.0/24 dev neta src 10.2.1.1

Anyhow, I'm still into debugging Netfilter stuff, and came across this strange
story of single ICMP echo/reply path through Netfilter's chains and tables:

mangle prerouting  eth0 1.2.3.4 -> 4.3.2.1 ESP
nat prerouting     eth0 1.2.3.4 -> 4.3.2.1 ESP
mangle input       eth0 1.2.3.4 -> 4.3.2.1 ESP
filter input       eth0 1.2.3.4 -> 4.3.2.1 ESP
mangle prerouting  neta 10.1.2.1 -> 10.2.1.1 ICMP
nat prerouting     neta 10.1.2.1 -> 10.2.1.1 ICMP
mangle input       neta 10.1.2.1 -> 10.2.1.1 ICMP
filter input       neta 10.1.2.1 -> 10.2.1.1 ICMP

So on incomming packet, I never see GRE.  A bit different story on output
packet:

mangle output      neta 10.2.1.1 -> 10.1.2.1 ICMP
filter output      neta 10.2.1.1 -> 10.1.2.1 ICMP
mangle postrouting neta 10.2.1.1 -> 10.1.2.1 ICMP
mangle output      eth0 4.3.2.1 -> 1.2.3.4 GRE
nat output         eth0 4.3.2.1 -> 1.2.3.4 GRE
filter output      eth0 4.3.2.1 -> 1.2.3.4 GRE
mangle postrouting eth0 4.3.2.1 -> 1.2.3.4 ESP
nat postrouting    eth0 4.3.3.1 -> 1.2.3.4 ESP

This might be the reason why I'm experiencing problems with connection 
tracking
(various chains being skipped at some encapsulation levels).  But I'm still in
the middle of debugging this thing....  Will keep group posted.


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.