From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Robert Sander <r.sander@heinlein-support.de>,
netfilter@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: Configure ICMP error source address
Date: Sun, 10 Jan 2016 00:01:24 +0100 [thread overview]
Message-ID: <56919144.4060508@stressinduktion.org> (raw)
In-Reply-To: <56913852.4030608@heinlein-support.de>
On 09.01.2016 17:41, Robert Sander wrote:
> Hi,
>
> Am 09.01.2016 um 10:57 schrieb Hannes Frederic Sowa:
>>
>> I would also use dummy interfaces in production systems, merely to split
>> the statistics from dummy.
>
> Thank you for discussing the merits of dummy interfaces. I will consider
> your arguments. But unfortunately this did not answer my question.
Yes, I know. :) I tried to answer it in the other reply.
> Let me rephrase it:
>
> Is it a good idea to set a specific global IPv4 address as source
> address for outgoing ICMP error messages?
Not sure if this generic enough.
So my idea was to have a specific routing table and ip rule you can
install merely for selecting the source address of an icmp errors.
Not sure yet how complicated that is, it would require a match in the
rule lookup logic to specifically use another routing table when the
source address for an icmp packet is generated. We already supply the
protocol in the flow4 information, maybe this can be used plus another
input/flag in the flowi4 struct?
I can see situations were it is necessary to actually select the source
address depending of the interface.
> Would it be OK to create a /proc/sys/net/ipv4/icmp_errors_source where
> you could write an arbitrary IPv4 address into? And that would get used
> as the source address of ICMP errors?
>
> My questions did contain the loopback interface as I first thought it a
> good source of a globally routable IPv4 address (at least in our case).
>
> Secound thought: Instead of writing an IPv4 address to
> /proc/sys/net/ipv4/icmp_errors_source write an interface name to that
> file and take the first global IPv4 address from that interface as
> source for ICMP errors. Then you could create a dummy interface for that
> use case, too.
I am not a fan of such implicit assumptions. I would prefer the direct
specification of the source ip address over writing interface
information to a procfs file.
> Still: Is it a good idea to do so?
I agree, there should be a solution for this as this is a common setup
for BGP routers.
Bye,
Hannes
next prev parent reply other threads:[~2016-01-09 23:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 9:31 Configure ICMP error source address Robert Sander
2016-01-08 15:24 ` prmarino1
2016-01-08 16:11 ` Hannes Frederic Sowa
2016-01-09 3:57 ` prmarino1
2016-01-09 9:57 ` Hannes Frederic Sowa
2016-01-09 16:41 ` Robert Sander
2016-01-09 22:55 ` Pascal Hambourg
2016-01-09 23:01 ` Hannes Frederic Sowa [this message]
2016-01-10 19:12 ` Robert Sander
2016-01-08 16:21 ` Hannes Frederic Sowa
2016-02-15 9:13 ` Robert Sander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56919144.4060508@stressinduktion.org \
--to=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=r.sander@heinlein-support.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.