From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Sander Subject: Configure ICMP error source address Date: Fri, 8 Jan 2016 10:31:51 +0100 Message-ID: <568F8207.9040305@heinlein-support.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W5B4TNr4EROlFnKA4j0e3KlMjS3cjWNNH" Return-path: Sender: netfilter-owner@vger.kernel.org List-ID: To: netfilter@vger.kernel.org, netdev@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --W5B4TNr4EROlFnKA4j0e3KlMjS3cjWNNH Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, It is possible to change the source address of ICMP error messages generated by the kernel via /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr. This is currently the only way to influence the source address as ICMP errors do not travel through the NAT table (for obvious reasons). We have the situation that our routers use RFC1918 addresses on their transfer networks (which should be quite common nowadays to save on public IPv4 addresses). ICMP errors are generated with RFC1918 source addresses and therefor never reach the original sender. Every router has its public IP address bound to dev lo to be reachable even if any one interface is down. Routing protocols assure that. Is it a good idea to develop a kernel patch that makes it possible to select the first IPv4 address on dev lo with scope global as the source address for ICMP errors? Would that do any harm to the Internet at large?= Regards --=20 Robert Sander Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-43 Fax: 030 / 405051-19 Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin --W5B4TNr4EROlFnKA4j0e3KlMjS3cjWNNH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWj4IHAAoJEPC7kVgj3lsohhQQALYsYlSWt+ZGhvLGmjBWZFgm R7IPnT1uj0Sf1HcK1pV7Q1ZIa7fj1CrqhUZV7o94jDdbHgJvaPwcndSf734cemwU Y1WiWrnOyJpjvK0OoETd49SCtDf2lQT011Xlz8B1d7iY4daQeoJ4vmLvcHY1h1BN 2SdnqsVWJk6T0EPWNxAZoskrjD1Y6PXZmWVy5gecUYIbb54Kv0AwUPxmxY45yG52 dehtR5olexMFCvHSU0QlnPoIyGpQwriAAaDUYCa9pBrTO2kVx1+1VjC5Z44e80SM spEdIMhjD6Uuxf0rxANQcE5PqE+OMqdbPSh1/ovZLMC+1x4K41l1XjxGfVWCkXu5 ojqwXXwNmH3VpxIbgqQogEzCIjjZ2beWTsEZkPv23CKFmPWTYUWTdvGG+f6t9nxr V/nrRKXgnmfi0cv3A5YPW+RKd891qMEn4vi1W2pmWGIcilGkYqVIMQ4uJomelIsF vGssxbPFdDvBGQqHwRNsk95iRqkQoLx71VOEVk966WDa5/sjl2iW95QTS4sJk9Nj pV6zUisyLNglyY943TDBIpLNEwlY8Tnkspt2/A2KGB4ftOJyKXuy4GEqKzTkvlkv KXbWdOgRB+QLTlj6kwCkZNeTxC2mqrunilyBhl3NileXEZUP9I8YUomcuPubut2w F5wf6+TIn7DOcGgqVWel =w1Xm -----END PGP SIGNATURE----- --W5B4TNr4EROlFnKA4j0e3KlMjS3cjWNNH--