From: prmarino1@gmail.com
To: Robert Sander <r.sander@heinlein-support.de>,
netfilter@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: Configure ICMP error source address
Date: Fri, 08 Jan 2016 10:24:48 -0500 [thread overview]
Message-ID: <20160108152448.5251154.50977.21786@gmail.com> (raw)
In-Reply-To: <568F8207.9040305@heinlein-support.de>
Don't put a public address on a lo device use a dummy eth interface instead. Any IP address and it's subnet assigned to a lo device is marked as a marcian address and the traffic is dropped if it tries to leave the lo device.
I know that there is som old documentation out there (for example quagga's documentation) that says you can do it but it's been wrong since the 2.4 version off the kernel.
Linux treats the lo device differently that what routers call a loopback device. The dummy driver is the linux equivalent of what routers call a loopback device.
Original Message
From: Robert Sander
Sent: Friday, January 8, 2016 04:32
To: netfilter@vger.kernel.org; netdev@vger.kernel.org
Subject: Configure ICMP error source address
Hi,
It is possible to change the source address of ICMP error messages
generated by the kernel via
/proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr. This is currently the
only way to influence the source address as ICMP errors do not travel
through the NAT table (for obvious reasons).
We have the situation that our routers use RFC1918 addresses on their
transfer networks (which should be quite common nowadays to save on
public IPv4 addresses). ICMP errors are generated with RFC1918 source
addresses and therefor never reach the original sender.
Every router has its public IP address bound to dev lo to be reachable
even if any one interface is down. Routing protocols assure that.
Is it a good idea to develop a kernel patch that makes it possible to
select the first IPv4 address on dev lo with scope global as the source
address for ICMP errors? Would that do any harm to the Internet at large?
Regards
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
next prev parent reply other threads:[~2016-01-08 15:24 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 9:31 Configure ICMP error source address Robert Sander
2016-01-08 15:24 ` prmarino1 [this message]
2016-01-08 16:11 ` Hannes Frederic Sowa
2016-01-09 3:57 ` prmarino1
2016-01-09 9:57 ` Hannes Frederic Sowa
2016-01-09 16:41 ` Robert Sander
2016-01-09 22:55 ` Pascal Hambourg
2016-01-09 23:01 ` Hannes Frederic Sowa
2016-01-10 19:12 ` Robert Sander
2016-01-08 16:21 ` Hannes Frederic Sowa
2016-02-15 9:13 ` Robert Sander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160108152448.5251154.50977.21786@gmail.com \
--to=prmarino1@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=r.sander@heinlein-support.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.