Re: DHCP renewal changes routing table

[Thomas Haller <thaller redhat com>]

On Do, 2015-06-04 at 06:13 -0600, Nicolas Bock wrote:
> On Thu, Jun 4, 2015 at 6:07 AM, Thomas Haller <thaller redhat com> 
> wrote:
> > On Do, 2015-06-04 at 05:56 -0600, Nicolas Bock wrote:
> > > Thanks Thomas for the helpful comments.
> > >
> > > It sounds like that there is no solution at the moment through
> > > networkmanager-1.0.2, right? I was naively considering some 
> > > script in
> > > /etc/NetworkManager/dispatcher.d, but from the email threads you 
> > > link
> > > it sounds like as if the routing table update would happen 
> > > anyway.
> >
> > A dispatcher script would not prevent NM from adding any routes.
> >
> > Maybe using the VPN, you use it together with a connection
> > that either only has static configuration
> >   ipv4.method=manual
> >   ipv4.addresses=...
> >   ipv4.routes=...
> > or that suppresses routes from DHCP
> >   ipv4.method=auto
> >   ipv4.routes=...
> >   ipv4.ignore-auto-routes=yes
> > that might work well enough, but that's not a real solution.
> Could I do that such that nm uses the normal approach while not using
> ncsvc, and switches to ignoring routes while under VPN?

you can add a second connections (connections are like "profiles").

You would still have to activate the right one manually, but maybe
combine it with your VPN startup-script...

  #!/bin/sh
  nmcli connection up eth0-static-routes
  ncsvc connect


Thomas

> > Thomas
> >
> >
> > > Thanks again for the help!
> > >
> > > nick
> > >
> > >
> > > On Thu, Jun 4, 2015 at 5:45 AM, Thomas Haller <thaller redhat com
> > > >
> > > wrote:
> > > > On Do, 2015-06-04 at 04:55 -0600, Nicolas Bock wrote:
> > > > > Hi,
> > > > >
> > > > > When I run the Juniper Network Connect client (ncsvc) it
> > > > > terminates
> > > > > every time the DHCP license is renewed. The log files of 
> > > > > ncsvc
> > > > > are
> > > > > unfortunately rather cryptic, but it appears as if the DHCP
> > > > > renewal
> > > > > leads to a change in the routing table which triggers a
> > > > > "rmon.error"
> > > > > in ncsvc which then tears down the VPN tunnel. Using 
> > > > > timestamps
> > > > > the
> > > > > following two events correlate:
> > > > >
> > > > > 20150603133456.514649 ncsvc[p6870.t6870] rmon.error Route to
> > > > > destination 192.168.1.1 is missing mask 255.255.255.255 with 
> > > > > gw
> > > > > 0.0.0.0, metric 1, if_id 0, disconnecting (routemon.cpp:628)
> > > > >
> > > > > which coincides with the following journal entries:
> > > > >
> > > > > Jun 03 13:34:55.454967 host NetworkManager[1805]: address
> > > > > 192.168.1.16
> > > > > Jun 03 13:34:55.454985 host NetworkManager[1805]: plen 24
> > > > > Jun 03 13:34:55.454990 host NetworkManager[1805]: expires in 
> > > > > 300
> > > > > seconds
> > > > > Jun 03 13:34:55.455026 host NetworkManager[1805]: gateway
> > > > > 192.168.1.1
> > > > > Jun 03 13:34:55.455035 host NetworkManager[1805]: nameserver
> > > > > '192.168.1.1'
> > > > > Jun 03 13:34:55.455210 host NetworkManager[1805]: (wlp6s0):
> > > > > DHCPv4
> > > > > state changed bound -> bound
> > > > > Jun 03 13:34:55.456679 host dbus[1799]: [system] Activating 
> > > > > via
> > > > > systemd: service name='org.freedesktop.nm_dispatcher' 
> > > > > unit='dbus
> > > > > -org.freedesktop.nm-dispatcher.service'
> > > > > Jun 03 13:34:55.461372 host dbus[1799]: [system] Successfully
> > > > > activated service 'org.freedesktop.nm_dispatcher'
> > > > > Jun 03 13:34:55.462021 host nm-dispatcher[8295]: Dispatching
> > > > > action
> > > > > 'dhcp4-change' for wlp6s0
> > > > > Jun 03 13:34:56.514958 host systemd-networkd[1803]: tun0 : 
> > > > > lost
> > > > > carrier
> > > > >
> > > > > Besides the ncsvc error listed above I sometimes also see 
> > > > > this
> > > > > one:
> > > > >
> > > > > 20150603132151.174661 ncsvc[p6870.t6870] rmon.error 
> > > > > Unauthorized
> > > > > new
> > > > > route to 192.168.1.0/0.0.0.0 has been added        (conflicts
> > > > > with
> > > > > our route to 0.0.0.0), disconnecting (routemon.cpp:598)
> > > > >
> > > > > Both seem to indicate that the routing table is changed on 
> > > > > DHCP
> > > > > renewal. Is there a way to prevent networkmanager from doing
> > > > > this? Or
> > > > > is this problem caused by something else possibly?
> > > >
> > > > as you suspect, this is caused by NetworkManager. At various 
> > > > times
> > > > (e.g. when activating a connection, or on new DHCP lease), NM 
> > > > will
> > > > reinstall routes.
> > > >
> > > >
> > > > recently there was a related email thread:
> > > > https://mail.gnome.org/archives/networkmanager-list/2015
> > > > -May/msg00016.html
> > > >
> > > > but no solution either.
> > > >
> > > >
> > > > We could change NM not only do any system-modification when it 
> > > > will
> > > > actually have any effect.
> > > > Like, re-installing a route, only if it is not yet currently 
> > > > there.
> > > >
> > > >
> > > > There was an idea to add a feature to "propert routes".
> > > > https://bugzilla.gnome.org/show_bug.cgi?id=749376
> > > > It's not clear how this feature could look like, but probably 
> > > > it
> > > > should
> > > > be designed in a way, that you can tell NM ~not to configure~
> > > > certain
> > > > routes.
> > > >
> > > >
> > > > IMO ncsvc should allow you to white-list certain routes, so you
> > > > could
> > > > say: don't tear down VPN when somebody messes with 
> > > > 192.168.1.0/24.
> > > >
> > > >
> > > > Thomas

Attachment: signature.asc
Description: This is a digitally signed message part