Do xinet.d services work with policy routing?

Issues related to configuring your network
Post Reply
dgeist
Posts: 8
Joined: 2011/07/19 10:54:51

Do xinet.d services work with policy routing?

Post by dgeist » 2018/05/31 15:29:23

I have an environment that uses policy-based routing extensively to provide network services (DNS, DHCP, NTP, etc.) and in each case, there is a mgt interface (let's call it eth0) and a service interface (eth1). My policy rules specify that if you hit the server on any of the virtual IPs that are defined for the service, eth1, then the routing should RETURN via eth1. This has worked well and keeps the routing simple but also allows us to separate the service from the control/mgt plane.

I recently added the capability to a few hosts providing NTP servers to provide legacy "time" for devices that need it (udp37 via xinetd/time-dgram). Strangely, the listener binds just fine on all IPs but always takes the default routing for the host and doesn't properly check against the rules in my routing policy. I can connect to the service interface from that VLAN but not more than a hop away. I know it's not getting denied or blocked by firewalling. Debugging has shown that much. Is this an incompatibility with xinetd or am I missing something obvious about how xinetd provides system services.

Thanks
Dan

dgeist
Posts: 8
Joined: 2011/07/19 10:54:51

Re: Do xinet.d services work with policy routing?

Post by dgeist » 2018/06/06 14:04:40

Anyone have any thoughts here? Perhaps if the handling of incoming requests between a normal bound listener and xinetd are different? Just looking for ideas. I'd like to not have to have a bunch of statics where source-routing was working great before.

Dan

tomkep
Posts: 21
Joined: 2018/04/25 13:30:50

Re: Do xinet.d services work with policy routing?

Post by tomkep » 2018/06/06 19:40:18

Can you check what is the source address in responses? Is it possible that xinetd uses single IP address for all responses (regardless of the destination address in the request) and this causes this issue?

dgeist
Posts: 8
Joined: 2011/07/19 10:54:51

Re: Do xinet.d services work with policy routing?

Post by dgeist » 2018/06/06 21:27:04

tomkep wrote:
2018/06/06 19:40:18
Can you check what is the source address in responses? Is it possible that xinetd uses single IP address for all responses (regardless of the destination address in the request) and this causes this issue?
I was able to tcpdump on the various interfaces and it looks to take the first IP on the egress interface of the default routing table. For example, if I do nothing, then the egress IP is that of the mgt interface (this is all in ipv6, BTW). If I create a generic "ip -6 route" in the default policy for the destination of the sender, the egress IP is always that of the FIRST address for that interface that appears in the "ip -6 addr" output (even if I hit other valid addresses on that link that work fine for other network services).

It's almost as if xinetd isn't fully iproute2 compliant and residing on older kernel stack conventions for its behavior.

Dan

Post Reply