On 3/18/24 15:42, David Ahern wrote: > On 3/17/24 8:38 PM, Hangbin Liu wrote: >> Wild guess, the last change of icmp_redirect is my netns update. Maybe >> there are something default sysctl settings in netns cause the error? > > It is most likely sysctl settings. It would be good to chase those down > and make sure we have the script setting them. > > Mirsad: What OS are you testing with? That script has a verbose option > (-v) to get more output like the commands run and pause-on-fail (-p) to > manually debug at that point. Hi, David, I am running an Ubuntu 22.04 LTS box, with the iptools upgraded to iproute2-next tree of March 15th, on the torvalds tree. Right now I have tried it against the net-next tree, and I get the same result: # timeout set to 3600 # selftests: net: icmp_redirect.sh # # ########################################################################### # Legacy routing # ########################################################################### # # TEST: IPv4: redirect exception [FAIL] # TEST: IPv6: redirect exception [ OK ] # TEST: IPv4: redirect exception plus mtu [FAIL] # TEST: IPv6: redirect exception plus mtu [ OK ] # TEST: IPv4: routing reset [ OK ] # TEST: IPv6: routing reset [ OK ] # TEST: IPv4: mtu exception [ OK ] # TEST: IPv6: mtu exception [ OK ] # TEST: IPv4: mtu exception plus redirect [FAIL] # TEST: IPv6: mtu exception plus redirect [ OK ] # # ########################################################################### # Legacy routing with VRF # ########################################################################### # # TEST: IPv4: redirect exception [FAIL] # TEST: IPv6: redirect exception [ OK ] # TEST: IPv4: redirect exception plus mtu [FAIL] # TEST: IPv6: redirect exception plus mtu [ OK ] # TEST: IPv4: routing reset [ OK ] # TEST: IPv6: routing reset [ OK ] # TEST: IPv4: mtu exception [ OK ] # TEST: IPv6: mtu exception [ OK ] # TEST: IPv4: mtu exception plus redirect [FAIL] # TEST: IPv6: mtu exception plus redirect [ OK ] # # ########################################################################### # Routing with nexthop objects # ########################################################################### # # TEST: IPv4: redirect exception [FAIL] # TEST: IPv6: redirect exception [ OK ] # TEST: IPv4: redirect exception plus mtu [FAIL] # TEST: IPv6: redirect exception plus mtu [ OK ] # TEST: IPv4: routing reset [ OK ] # TEST: IPv6: routing reset [ OK ] # TEST: IPv4: mtu exception [ OK ] # TEST: IPv6: mtu exception [ OK ] # TEST: IPv4: mtu exception plus redirect [FAIL] # TEST: IPv6: mtu exception plus redirect [ OK ] # # ########################################################################### # Routing with nexthop objects and VRF # ########################################################################### # # TEST: IPv4: redirect exception [FAIL] # TEST: IPv6: redirect exception [ OK ] # TEST: IPv4: redirect exception plus mtu [FAIL] # TEST: IPv6: redirect exception plus mtu [ OK ] # TEST: IPv4: routing reset [ OK ] # TEST: IPv6: routing reset [ OK ] # TEST: IPv4: mtu exception [ OK ] # TEST: IPv6: mtu exception [ OK ] # TEST: IPv4: mtu exception plus redirect [FAIL] # TEST: IPv6: mtu exception plus redirect [ OK ] # # Tests passed: 28 # Tests failed: 12 # Tests xfailed: 0 not ok 45 selftests: net: icmp_redirect.sh # exit=1 So, it is probably the sysctl you said, but I cannot tell which one. My /etc/sysctl.conf looks like this (I think something like Libreswan VPN required these to be redirects turned off): # # /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 ################################################################### # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 # # Do not accept IP source route packets (we are not a router) net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # # Log Martian Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 # ################################################################### # Magic system request Key # 0=disable, 1=enable all, >1 bitmask of sysrq functions # See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html # for what other values do #kernel.sysrq=438 Thank you. Best regards, Mirsad