* missing icmp redirects
@ 2014-04-08 13:49 Per Jessen
2014-04-08 15:34 ` Lukas Tribus
0 siblings, 1 reply; 6+ messages in thread
From: Per Jessen @ 2014-04-08 13:49 UTC (permalink / raw)
To: netdev
See complete description here:
https://bugzilla.kernel.org/show_bug.cgi?id=72561
Summary - some ICMP redirects seem to be missing.
Alan suggests I gather some traces, but I'm am unsure of what to trace.
Suggestions please?
Thanks
Per Jessen
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: missing icmp redirects
2014-04-08 13:49 missing icmp redirects Per Jessen
@ 2014-04-08 15:34 ` Lukas Tribus
2014-06-10 18:10 ` Per Jessen
0 siblings, 1 reply; 6+ messages in thread
From: Lukas Tribus @ 2014-04-08 15:34 UTC (permalink / raw)
To: Per Jessen, netdev
> See complete description here:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=72561
>
> Summary - some ICMP redirects seem to be missing.
>
> Alan suggests I gather some traces, but I'm am unsure of what to trace.
> Suggestions please?
Reproduce the actual issue and post a simplified testcase, without
transparent proxying, etc.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing icmp redirects
2014-04-08 15:34 ` Lukas Tribus
@ 2014-06-10 18:10 ` Per Jessen
2014-06-10 20:06 ` Dmitry Popov
0 siblings, 1 reply; 6+ messages in thread
From: Per Jessen @ 2014-06-10 18:10 UTC (permalink / raw)
To: Lukas Tribus; +Cc: netdev
Lukas Tribus wrote:
>> See complete description here:
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=72561
>>
>> Summary - some ICMP redirects seem to be missing.
>>
>> Alan suggests I gather some traces, but I'm am unsure of what to trace.
>> Suggestions please?
>
> Reproduce the actual issue and post a simplified testcase, without
> transparent proxying, etc.
Okay, I have devised a way to reproduce the problem:
I have a test setup of three machines:
“client”, “firewall” and “server”. All on the same network.
Client:
Set up default route via “firewall”.
Server:
Assign 10.232.1.1-2-3-4-...-15/24 to an interface.
Run a tcp echo service (port 7).
Firewall:
Create routing table “test99”. /etc/iproute2/rt_tables.
ip route add default via <server> dev eth0 table test99
ip rule add fwmark 5 table test99
iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 7 -j MARK --set-mark 5
(this setup is what will produce the ICMP redirects).
On “firewall”, run tcpdump to document (missing) redirects:
tcpdump -n -i eth0 proto \\icmp
On “client”, create some test input:
cat <<XXX >test.input
klop
alpha
nothing
tagi
line1
line2
line3
line4
XXX
Create a script
cat <<XXX >doit
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
telnet 10.232.1.$i 7 <test.input &
done
When you run “sh doit”, all of the telnet requests to 10.232.1.x should be
redirected, but the tcpdump running on "firewall" will only show some of them.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing icmp redirects
2014-06-10 18:10 ` Per Jessen
@ 2014-06-10 20:06 ` Dmitry Popov
2014-06-11 7:19 ` Per Jessen
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Popov @ 2014-06-10 20:06 UTC (permalink / raw)
To: Per Jessen; +Cc: Lukas Tribus, netdev
On Tue, 10 Jun 2014 20:10:23 +0200
Per Jessen <per@computer.org> wrote:
> Lukas Tribus wrote:
> >> See complete description here:
> >>
> >> https://bugzilla.kernel.org/show_bug.cgi?id=72561
> >>
> >> Summary - some ICMP redirects seem to be missing.
> >>
> Okay, I have devised a way to reproduce the problem:
>
> ...
It's probably not a bug, but intended behavior. See ip_rt_send_redirect in
net/ipv4/route.c. The kernel has a built-in per-source-address limiter for icmp
redirects.
You can disable it for example with
echo -1 > /proc/sys/net/ipv4/route/redirect_silence
Though I am not sure if it is ok in wild networks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing icmp redirects
2014-06-10 20:06 ` Dmitry Popov
@ 2014-06-11 7:19 ` Per Jessen
2014-06-11 15:04 ` Dmitry Popov
0 siblings, 1 reply; 6+ messages in thread
From: Per Jessen @ 2014-06-11 7:19 UTC (permalink / raw)
To: Dmitry Popov; +Cc: Lukas Tribus, netdev
Dmitry Popov wrote:
> On Tue, 10 Jun 2014 20:10:23 +0200
> Per Jessen <per@computer.org> wrote:
>
>> Lukas Tribus wrote:
>>>> See complete description here:
>>>>
>>>> https://bugzilla.kernel.org/show_bug.cgi?id=72561
>>>>
>>>> Summary - some ICMP redirects seem to be missing.
>>>>
>> Okay, I have devised a way to reproduce the problem:
>>
>> ...
>
> It's probably not a bug, but intended behavior. See ip_rt_send_redirect in
> net/ipv4/route.c. The kernel has a built-in per-source-address limiter for icmp
> redirects.
Hi Dmitry
Any possibility that this limiter may have been inactive/faulty in e.g. 2.6.34?
We only hit this issue when we upgraded the firewall to a newer openSUSE (for
ebtables) which came with kernel 3.11.6, but prior to that we had no issue with
missing redirects.
> You can disable it for example with
> echo -1 > /proc/sys/net/ipv4/route/redirect_silence
> Though I am not sure if it is ok in wild networks.
Okay, that worked on the first attempt.
Should I also be looking at the other redirect settings?
/proc/sys/net/ipv4/route/redirect_load
/proc/sys/net/ipv4/route/redirect_number
thanks
Per
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing icmp redirects
2014-06-11 7:19 ` Per Jessen
@ 2014-06-11 15:04 ` Dmitry Popov
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Popov @ 2014-06-11 15:04 UTC (permalink / raw)
To: Per Jessen; +Cc: David S. Miller, Lukas Tribus, netdev
On Wed, 11 Jun 2014 09:19:22 +0200
Per Jessen <per@computer.org> wrote:
> Dmitry Popov wrote:
> > On Tue, 10 Jun 2014 20:10:23 +0200
> > Per Jessen <per@computer.org> wrote:
> >
> >> Lukas Tribus wrote:
> >>>> See complete description here:
> >>>>
> >>>> https://bugzilla.kernel.org/show_bug.cgi?id=72561
> >>>>
> >>>> Summary - some ICMP redirects seem to be missing.
> >>>>
> > It's probably not a bug, but intended behavior. See ip_rt_send_redirect in
> > net/ipv4/route.c. The kernel has a built-in per-source-address limiter for icmp
> > redirects.
> Any possibility that this limiter may have been inactive/faulty in e.g. 2.6.34?
Hi!
This limiter worked per-destination-address before kernel v3.6. More precisely,
commit 1d861aa4b3(inet: Minimize use of cached route inetpeer) changed that
behavior. I don't know the reasons behind it (both approaches have pros and
cons), I think you should ask David if you're curious.
* upd: it's not a limiter for icmp redirects only, it is used for other icmp
errors too.
> > You can disable it for example with
> > echo -1 > /proc/sys/net/ipv4/route/redirect_silence
> > Though I am not sure if it is ok in wild networks.
>
> Okay, that worked on the first attempt.
> Should I also be looking at the other redirect settings?
>
> /proc/sys/net/ipv4/route/redirect_load
> /proc/sys/net/ipv4/route/redirect_number
redirect_silence is enough, you can look at the algorithm (it's simple enough)
in net/ipv4/route.c:ip_rt_send_redirect if you're curious how it works and what
those settings mean.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-06-11 15:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-08 13:49 missing icmp redirects Per Jessen
2014-04-08 15:34 ` Lukas Tribus
2014-06-10 18:10 ` Per Jessen
2014-06-10 20:06 ` Dmitry Popov
2014-06-11 7:19 ` Per Jessen
2014-06-11 15:04 ` Dmitry Popov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.