1448987 – NM does not use new route when adding host route for DHCP server

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1448987 - NM does not use new route when adding host route for DHCP server

Summary: NM does not use new route when adding host route for DHCP server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Beniamino Galvani
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-09 02:09 UTC by Jonathan Maxwell
Modified:	2020-09-10 10:32 UTC (History)
CC List:	9 users (show)
Fixed In Version:	NetworkManager-1.8.0-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:28:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
[PATCH] dhcp: don't add route to DHCP4 server (3.21 KB, patch) 2017-05-10 16:07 UTC, Beniamino Galvani	no flags	Details \| Diff
Routed DHCP test script (1019 bytes, application/x-shellscript) 2017-05-10 16:10 UTC, Beniamino Galvani	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2299	0	normal	SHIPPED_LIVE	Moderate: NetworkManager and libnl3 security, bug fix and enhancement update	2017-08-01 12:40:28 UTC

Description Jonathan Maxwell 2017-05-09 02:09:08 UTC

Description of problem:

As per: https://bugzilla.redhat.com/show_bug.cgi?id=983325

NetworkManager will add a host route for the DHCP server. This is usually not a problem provided the customer has only one router per subnet, the default router. But if there are 2 routers on the same subnet and a new route has been defined for the subnet that the DHCP server is on, then this could present a problem depending on the customers external network configuration.

Take my LAB system, here we have where 10.7.1.66 is the dhcp server:

[root@unused ~]# ip addr

2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:a5:70:8a brd ff:ff:ff:ff:ff:ff
    inet 10.7.1.233/24 brd 10.7.1.255 scope global dynamic eno16780032
       valid_lft 259138sec preferred_lft 259138sec
    inet6 fe80::250:56ff:fea5:708a/64 scope link 
       valid_lft forever preferred_lft forever

[root@unused ~]# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 << added by NM
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 
[root@unused ~]# 

Now if we add a new route for the 10.0.0.0/8 subnet:

# ip route add 10.0.0.0/8 via 10.7.1.2 dev eno16780032

Now see how IP addresses for 10.7.1.x e.g 10.7.1.1 resolves. DHCP server 10.7.1.66 would also resolve the same, if the host route was not there:

# ip route get 10.7.1.1
10.7.1.1 via 10.7.1.2 src 10.7.1.233

But if we restart NM then it still adds a route for 10.7.1.66 via 10.7.1.254 instead of the new router 10.7.1.2. This can be a problem for customers that expect the traffic to go trough the new route.

Version-Release number of selected component (if applicable):

RHEL7

How reproducible:

Always see above.

Actual results:

When the routing table looks like:

# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Then restarting NM still shows that the DCHP server host route is still via 10.7.1.254 instead of 10.7.1.2.

# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Expected results:

After restarting, expect NM to find the new route for 10.7.1.66 pointing to gw 10.7.1.2. Just like "ip route get" e.g:

# ip route get 10.7.1.1
10.7.1.1 via 10.7.1.2 src 10.7.1.233

default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.2 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Additional info:

We have a customer that reported this after trying to kickstart RHEL7 through Anaconda and the route added by NM is breaking communications because the new route they defined for the DHCP server network is not being used.

Comment 2 Beniamino Galvani 2017-05-09 12:54:21 UTC

Hi,

it's wrong that NM adds such route because the DHCP server is already
reachable through the existing routes pushed by the server. Also, the
way in which the route gateway is chosen is wrong because it doesn't
consider the static routes, but only the default gateway. I think that
the fix for bug 983325 was implemented in the wrong way.

I wonder if that fix should exist at all, considering that:

 - dhclient script doesn't implement at all such logic (it has some
   code to add direct routes to the *gateway* if not directly
   reachable)

 - if needed, the server can be configured to push the missing route
   to be reached by the client in the classless-routes options

So, in my opinion that code should be removed or at least fixed to add
the route only when strictly necessary.

Comment 3 Jonathan Maxwell 2017-05-09 22:26:14 UTC

(In reply to Beniamino Galvani from comment #2)
> Hi,
> 
> it's wrong that NM adds such route because the DHCP server is already
> reachable through the existing routes pushed by the server. Also, the
> way in which the route gateway is chosen is wrong because it doesn't
> consider the static routes, but only the default gateway. I think that
> the fix for bug 983325 was implemented in the wrong way.
> 
> I wonder if that fix should exist at all, considering that:
> 
>  - dhclient script doesn't implement at all such logic (it has some
>    code to add direct routes to the *gateway* if not directly
>    reachable)
> 
>  - if needed, the server can be configured to push the missing route
>    to be reached by the client in the classless-routes options
> 

They are using the above to add classless-static routes already. 

> So, in my opinion that code should be removed or at least fixed to add
> the route only when strictly necessary.

Hi,

Thanks for looking into this.

I agree. That makes sense. Otherwise customers with more than one router on a subnet will have problems.

Comment 4 Beniamino Galvani 2017-05-10 16:07:57 UTC

Created attachment 1277653 [details]
[PATCH] dhcp: don't add route to DHCP4 server

Comment 5 Beniamino Galvani 2017-05-10 16:10:18 UTC

Created attachment 1277654 [details]
Routed DHCP test script

For future memory: a simple script to test scenarios like this

Comment 6 Thomas Haller 2017-05-10 19:54:06 UTC

(In reply to Beniamino Galvani from comment #4)
> Created attachment 1277653 [details]
> [PATCH] dhcp: don't add route to DHCP4 server

lgtm

Comment 7 Francesco Giudici 2017-05-16 08:33:34 UTC

I agree on #c2.
Route to DHCP server should be managed in DHCP server configuration in classless-routes options.

Patch lgtm

Comment 9 errata-xmlrpc 2017-08-01 09:28:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2299

Note You need to log in before you can comment on or make changes to this bug.