Src addr code review (Was: Source IP incorrect on multi homed systems)
Nico Schottelius
nico.schottelius at ungleich.ch
Mon Feb 20 09:47:36 UTC 2023
Hey Daniel,
thanks a lot for diving in ...
Daniel Gröber <dxld at darkboxed.org> writes:
> Let's look at the code (heavily culled):
>
> struct flowi4 fl = {
> .saddr = endpoint->src4.s_addr,
> };
> if (cache)
> rt = dst_cache_get_ip4(cache, &fl.saddr);
What I am wondering is, how did it get into the cache in the first place?
> [...]
>
> @Nico could it perhaps simply be that you're hitting one of these zero'ing
> cases and that's why it's using regular kernel src addr selection instead
> of the cached endpoint src4 address?
That could absolutely be the case. What is funky is that I see the
problem on two very different systems, but maybe it's a good time to
elaborate on this:
- System A:
- Wireguard module loaded on the host
- Wireguard wg-quick used within a kubernetes pods that has
permissions for managing wireguard
- The same pod also runs bird for BGP peering
- System B:
- Wireguard running as wireguard-go on OpnSense / FreeBSD
- BGP running with frr
Both systems exhibit the behaviour, but maybe it's better to focus on
System A first, as this seems to be more the "upstream" source.
Best regards,
Nico
--
Sustainable and modern Infrastructures by ungleich.ch
More information about the WireGuard
mailing list