Bug 1448987 - NM does not use new route when adding host route for DHCP server
Summary: NM does not use new route when adding host route for DHCP server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Beniamino Galvani
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 02:09 UTC by Jonathan Maxwell
Modified: 2017-08-01 09:28 UTC (History)
9 users (show)

Fixed In Version: NetworkManager-1.8.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:28:57 UTC

Attachments (Terms of Use)
[PATCH] dhcp: don't add route to DHCP4 server (3.21 KB, patch)
2017-05-10 16:07 UTC, Beniamino Galvani 		no flags Details | Diff
Routed DHCP test script (1019 bytes, application/x-shellscript)
2017-05-10 16:10 UTC, Beniamino Galvani 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2299 normal SHIPPED_LIVE Moderate: NetworkManager and libnl3 security, bug fix and enhancement update 2017-08-01 12:40:28 UTC

Description Jonathan Maxwell 2017-05-09 02:09:08 UTC 
Description of problem:

As per: https://bugzilla.redhat.com/show_bug.cgi?id=983325

NetworkManager will add a host route for the DHCP server. This is usually not a problem provided the customer has only one router per subnet, the default router. But if there are 2 routers on the same subnet and a new route has been defined for the subnet that the DHCP server is on, then this could present a problem depending on the customers external network configuration.

Take my LAB system, here we have where 10.7.1.66 is the dhcp server:

[root@unused ~]# ip addr

2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:a5:70:8a brd ff:ff:ff:ff:ff:ff
    inet 10.7.1.233/24 brd 10.7.1.255 scope global dynamic eno16780032
       valid_lft 259138sec preferred_lft 259138sec
    inet6 fe80::250:56ff:fea5:708a/64 scope link 
       valid_lft forever preferred_lft forever

[root@unused ~]# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 << added by NM
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 
[root@unused ~]# 

Now if we add a new route for the 10.0.0.0/8 subnet:

# ip route add 10.0.0.0/8 via 10.7.1.2 dev eno16780032

Now see how IP addresses for 10.7.1.x e.g 10.7.1.1 resolves. DHCP server 10.7.1.66 would also resolve the same, if the host route was not there:

# ip route get 10.7.1.1
10.7.1.1 via 10.7.1.2 src 10.7.1.233

But if we restart NM then it still adds a route for 10.7.1.66 via 10.7.1.254 instead of the new router 10.7.1.2. This can be a problem for customers that expect the traffic to go trough the new route.

Version-Release number of selected component (if applicable):

RHEL7

How reproducible:

Always see above.

Actual results:

When the routing table looks like:

# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Then restarting NM still shows that the DCHP server host route is still via 10.7.1.254 instead of 10.7.1.2.

# ip route 
default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.254 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Expected results:

After restarting, expect NM to find the new route for 10.7.1.66 pointing to gw 10.7.1.2. Just like "ip route get" e.g:

# ip route get 10.7.1.1
10.7.1.1 via 10.7.1.2 src 10.7.1.233

default via 10.7.1.254 dev eno16780032  proto static  metric 100 
10.0.0.0/8 via 10.7.1.2 dev eno16780032
10.7.1.66 via 10.7.1.2 dev eno16780032  proto dhcp  metric 100 
10.7.1.0/24 dev eno16780032  proto kernel  scope link  src 10.7.1.233 

Additional info:

We have a customer that reported this after trying to kickstart RHEL7 through Anaconda and the route added by NM is breaking communications because the new route they defined for the DHCP server network is not being used.
Comment 2 Beniamino Galvani 2017-05-09 12:54:21 UTC 
Hi,

it's wrong that NM adds such route because the DHCP server is already
reachable through the existing routes pushed by the server. Also, the
way in which the route gateway is chosen is wrong because it doesn't
consider the static routes, but only the default gateway. I think that
the fix for bug 983325 was implemented in the wrong way.

I wonder if that fix should exist at all, considering that:

 - dhclient script doesn't implement at all such logic (it has some
   code to add direct routes to the *gateway* if not directly
   reachable)

 - if needed, the server can be configured to push the missing route
   to be reached by the client in the classless-routes options

So, in my opinion that code should be removed or at least fixed to add
the route only when strictly necessary.
Comment 3 Jonathan Maxwell 2017-05-09 22:26:14 UTC 
(In reply to Beniamino Galvani from comment #2)
> Hi,
> 
> it's wrong that NM adds such route because the DHCP server is already
> reachable through the existing routes pushed by the server. Also, the
> way in which the route gateway is chosen is wrong because it doesn't
> consider the static routes, but only the default gateway. I think that
> the fix for bug 983325 was implemented in the wrong way.
> 
> I wonder if that fix should exist at all, considering that:
> 
>  - dhclient script doesn't implement at all such logic (it has some
>    code to add direct routes to the *gateway* if not directly
>    reachable)
> 
>  - if needed, the server can be configured to push the missing route
>    to be reached by the client in the classless-routes options
> 

They are using the above to add classless-static routes already. 

> So, in my opinion that code should be removed or at least fixed to add
> the route only when strictly necessary.

Hi,

Thanks for looking into this.

I agree. That makes sense. Otherwise customers with more than one router on a subnet will have problems.
Comment 4 Beniamino Galvani 2017-05-10 16:07:57 UTC 
Created attachment 1277653 [details]
[PATCH] dhcp: don't add route to DHCP4 server
Comment 5 Beniamino Galvani 2017-05-10 16:10:18 UTC 
Created attachment 1277654 [details]
Routed DHCP test script

For future memory: a simple script to test scenarios like this
Comment 6 Thomas Haller 2017-05-10 19:54:06 UTC 
(In reply to Beniamino Galvani from comment #4)
> Created attachment 1277653 [details]
> [PATCH] dhcp: don't add route to DHCP4 server

lgtm
Comment 7 Francesco Giudici 2017-05-16 08:33:34 UTC 
I agree on #c2.
Route to DHCP server should be managed in DHCP server configuration in classless-routes options.

Patch lgtm
Comment 9 errata-xmlrpc 2017-08-01 09:28:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2299
Note You need to log in before you can comment on or make changes to this bug.