mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-07-09 04:05:56 +00:00
fe80b2d1ec
Background
==========
Imagine you run a container on your machine. Then the routing table
might look like:
default via 10.0.10.1 dev eth0 proto dhcp metric 100
10.0.10.0/28 dev eth0 proto kernel scope link src 10.0.10.5 metric 100
[...]
10.42.0.0/24 via 10.42.0.0 dev flannel.1 onlink
10.42.1.2 dev cali02ad7e68ce1 scope link
10.42.1.3 dev cali8fcecf5aaff scope link
10.42.2.0/24 via 10.42.2.0 dev flannel.1 onlink
10.42.3.0/24 via 10.42.3.0 dev flannel.1 onlink
That is, there are another interfaces with subnets and specific routes.
If nm-cloud-setup now configures rules:
0: from all lookup local
30400: from 10.0.10.5 lookup 30400
32766: from all lookup main
32767: from all lookup default
and
default via 10.0.10.1 dev eth0 table 30400 proto static metric 10
10.0.10.1 dev eth0 table 30400 proto static scope link metric 10
then these other subnets will also be reached via the default route.
This container example is just one case where this is a problem. In
general, if you have specific routes on another interface, then the
default route in the 30400+ table will interfere badly.
The idea of nm-cloud-setup is to automatically configure the network for
secondary IP addresses. When the user has special requirements, then
they should disable nm-cloud-setup and configure whatever they want.
But the container use case is popular and important. It is not something
where the user actively configures the network. This case needs to work better,
out of the box. In general, nm-cloud-setup should work better with the
existing network configuration.
Change
======
Add new routing tables 30200+ with the individual subnets of the
interface:
10.0.10.0/24 dev eth0 table 30200 proto static metric 10
[...]
default via 10.0.10.1 dev eth0 table 30400 proto static metric 10
10.0.10.1 dev eth0 table 30400 proto static scope link metric 10
Also add more important routing rules with priority 30200+, which select
these tables based on the source address:
30200: from 10.0.10.5 lookup 30200
These will do source based routing for the subnets on these
interfaces.
Then, add a rule with priority 30350
30350: lookup main suppress_prefixlength 0
which processes the routes from the main table, but ignores the default
routes. 30350 was chosen, because it's in between the rules 30200+ and
30400+, leaving a range for the user to configure their own rules.
Then, as before, the rules 30400+ again look at the corresponding 30400+
table, to find a default route.
Finally, process the main table again, this time honoring the default
route. That is for packets that have a different source address.
This change means that the source based routing is used for the
subnets that are configured on the interface and for the default route.
Whereas, if there are any more specific routes in the main table, they will
be preferred over the default route.
Apparently Amazon Linux solves this differently, by not configuring a
routing table for addresses on interface "eth0". That might be an
alternative, but it's not clear to me what is special about eth0 to
warrant this treatment. It also would imply that we somehow recognize
this primary interface. In practise that would be doable by selecting
the interface with "iface_idx" zero.
Instead choose this approach. This is remotely similar to what WireGuard does
for configuring the default route ([1]), however WireGuard uses fwmark to match
the packets instead of the source address.
[1] https://www.wireguard.com/netns/#improved-rule-based-routing
|
||
|---|---|---|
| .gitlab-ci | ||
| contrib | ||
| data | ||
| docs | ||
| examples | ||
| introspection | ||
| m4 | ||
| man | ||
| po | ||
| src | ||
| tools | ||
| vapi | ||
| .clang-format | ||
| .dir-locals.el | ||
| .git-blame-ignore-revs | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .lgtm.yml | ||
| .mailmap | ||
| .triage-policies.yml | ||
| AUTHORS | ||
| autogen.sh | ||
| ChangeLog | ||
| config-extra.h.meson | ||
| config-extra.h.mk | ||
| config.h.meson | ||
| configure.ac | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| COPYING.GFDL | ||
| COPYING.LGPL | ||
| linker-script-binary.ver | ||
| linker-script-devices.ver | ||
| linker-script-settings.ver | ||
| lsan.suppressions | ||
| MAINTAINERS | ||
| Makefile.am | ||
| Makefile.examples | ||
| Makefile.glib | ||
| Makefile.vapigen | ||
| meson_options.txt | ||
| meson.build | ||
| NetworkManager.pc.in | ||
| NEWS | ||
| README | ||
| RELICENSE.md | ||
| TODO | ||
| valgrind.suppressions | ||
****************** NetworkManager core daemon has moved to gitlab.freedesktop.org! git clone https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git ****************** Networking that Just Works -------------------------- NetworkManager attempts to keep an active network connection available at all times. The point of NetworkManager is to make networking configuration and setup as painless and automatic as possible. NetworkManager is intended to replace default route, replace other routes, set IP addresses, and in general configure networking as NM sees fit (with the possibility of manual override as necessary). In effect, the goal of NetworkManager is to make networking Just Work with a minimum of user hassle, but still allow customization and a high level of manual network control. If you have special needs, we'd like to hear about them, but understand that NetworkManager is not intended for every use-case. NetworkManager will attempt to keep every network device in the system up and active, as long as the device is available for use (has a cable plugged in, the killswitch isn't turned on, etc). Network connections can be set to 'autoconnect', meaning that NetworkManager will make that connection active whenever it and the hardware is available. "Settings services" store lists of user- or administrator-defined "connections", which contain all the settings and parameters required to connect to a specific network. NetworkManager will _never_ activate a connection that is not in this list, or that the user has not directed NetworkManager to connect to. How it works: The NetworkManager daemon runs as a privileged service (since it must access and control hardware), but provides a D-Bus interface on the system bus to allow for fine-grained control of networking. NetworkManager does not store connections or settings, it is only the mechanism by which those connections are selected and activated. To store pre-defined network connections, two separate services, the "system settings service" and the "user settings service" store connection information and provide these to NetworkManager, also via D-Bus. Each settings service can determine how and where it persistently stores the connection information; for example, the GNOME applet stores its configuration in GConf, and the system settings service stores its config in distro-specific formats, or in a distro- agnostic format, depending on user/administrator preference. A variety of other system services are used by NetworkManager to provide network functionality: wpa_supplicant for wireless connections and 802.1x wired connections, pppd for PPP and mobile broadband connections, DHCP clients for dynamic IP addressing, dnsmasq for proxy nameserver and DHCP server functionality for internet connection sharing, and avahi-autoipd for IPv4 link-local addresses. Most communication with these daemons occurs, again, via D-Bus. Why doesn't my network Just Work? Driver problems are the #1 cause of why NetworkManager sometimes fails to connect to wireless networks. Often, the driver simply doesn't behave in a consistent manner, or is just plain buggy. NetworkManager supports _only_ those drivers that are shipped with the upstream Linux kernel, because only those drivers can be easily fixed and debugged. ndiswrapper, vendor binary drivers, or other out-of-tree drivers may or may not work well with NetworkManager, precisely because they have not been vetted and improved by the open-source community, and because problems in these drivers usually cannot be fixed. Sometimes, command-line tools like 'iwconfig' will work, but NetworkManager will fail. This is again often due to buggy drivers, because these drivers simply aren't expecting the dynamic requests that NetworkManager and wpa_supplicant make. Driver bugs should be filed in the bug tracker of the distribution being run, since often distributions customize their kernel and drivers. Sometimes, it really is NetworkManager's fault. If you think that's the case, please file a bug at: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues Attaching NetworkManager debug logs from the journal (or wherever your distribution directs syslog's 'daemon' facility output, as /var/log/messages or /var/log/daemon.log) is often very helpful, and (if you can get) a working wpa_supplicant config file helps enormously. See the logging section of file contrib/fedora/rpm/NetworkManager.conf for how to enable debug logging in NetworkManager.