* icmp redirects problem
@ 2009-11-23 4:31 Alex Samad
2009-11-23 21:58 ` Jarek Poplawski
0 siblings, 1 reply; 4+ messages in thread
From: Alex Samad @ 2009-11-23 4:31 UTC (permalink / raw)
To: netdev
[-- Attachment #1: Type: text/plain, Size: 4014 bytes --]
Hi
I seem to be having problems with icmp redirects
My network setup, I have
sydrt01
eth0 192.168.11.1/24
eth1 192.168.10.1/24
ppp0 attached to eth2 internet
max
eth0 192.168.11.10/24 DGW 192.168.11.1
because sydrt01 only have 10/100 ports I moved 192.168.10.1/24 (my
wireless to max), which had a spare 1g port. so I ended up with
sydrt01
eth0 192.168.11.1/24
ppp0 attached to eth2 internet
max
eth0 192.168.11.10/24
eth1 192.168.10.1/24
I add a ip r r 192.168.10.0/24 via 192.168.11.10 to sydrt01 and I see
that sydrt01 sends out the icmp redirects.
But in this situation when I have
laptop connected to 192.168.11.0/24 (192.168.11.200) and I have
alex-mini connected to 192.168.10.0/24 (192.168.10.201), I can ssh from
alex-mini to laptop, pings seem to work but ssh has a problem.
When I investigated this, tcpdump -pni eth0 hostname alex-mini or icmp
on laptop, I can see that the return packets (syn-ack) goes to sydrt01
(DGW) and a icmp comes back to redirect - which laptop fails to act
upon. I tried ping -c 6 alex-mini from laptop and after each icmp ping
advised that there was a icmp redirect, but again the kernel did not
take the information in.
I have
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
(presume all the interface ones are 1)
as my default, the documentation seems to suggest that I don't need the
former for the later to work ie I can have either one.
But for me to get this to work I had to set
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1
to get it to work properly.
My understanding is secure_redirects means that the kernel should listen
to icmp redirect if the redirect comes from the default gateway as per
the route table.
laptop gets its ip from dchp server that make 192.168.11.1 the default
gateway and its 192.168.11.1 that sends out the icmp redirect.
I had a quick look at the kernel tree for 2.6.31 (which is what I am
using).
I am no expert of the kernel source. but from what I found
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/icmp.c;h=97c410e8438895664a9abdbbf5670b26af01dffa;hb=HEAD
line 774 which handles the icmp redirects uses ip_rt_redirect
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/route.c;h=278f46f5011beb2ab85747543f84dfd3ce7c6d1c;hb=HEAD
line 1334 has ip_rt_redirect
This is where I loose it a bit
my guess is line 1349 which seems to check to see if redirects are allow
does a IN_DEV_RX_REDIRECTS and this macro
(http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=include/linux/inetdevice.h;h=ad27c7da87986da346da3d62f29e88bec957280a;hb=HEAD)
and I think it fails the test here and thus get bounced out. Which sort
of corrosponds to what i have seen - but doesn't match up with the
documentation
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=Documentation/networking/ip-sysctl.txt;h=8be76235fe6724c43e0c2b39778f3f741e53b619;hb=HEAD
Line 680
secure_redirects - BOOLEAN
681 Accept ICMP redirect messages only for gateways,
682 listed in default gateway list.
683 secure_redirects for the interface will be enabled if at
least one of
684 conf/{all,interface}/secure_redirects is set to TRUE,
685 it will be disabled otherwise
686 default TRUE
I had conf/interface/secure_redirect = 1 and conf/all/secure_redirect=1
Thanks
Alex
PS I am not subscribed please cc me on replies thanks
I sent this to linux-net, but realises that might not be the right list
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: icmp redirects problem
2009-11-23 4:31 icmp redirects problem Alex Samad
@ 2009-11-23 21:58 ` Jarek Poplawski
2009-11-24 0:12 ` Alex Samad
0 siblings, 1 reply; 4+ messages in thread
From: Jarek Poplawski @ 2009-11-23 21:58 UTC (permalink / raw)
To: Alex Samad; +Cc: netdev
Alex Samad wrote, On 11/23/2009 05:31 AM:
> Hi
Hi
>
>
> I seem to be having problems with icmp redirects
> I have
...
>
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.secure_redirects = 1
> (presume all the interface ones are 1)
>
> as my default, the documentation seems to suggest that I don't need the
> former for the later to work ie I can have either one.
...
>
> But for me to get this to work I had to set
>
> net.ipv4.conf.all.accept_redirects = 1
> net.ipv4.conf.all.secure_redirects = 1
>
> to get it to work properly.
>
> My understanding is secure_redirects means that the kernel should listen
> to icmp redirect if the redirect comes from the default gateway as per
> the route table.
>
> laptop gets its ip from dchp server that make 192.168.11.1 the default
> gateway and its 192.168.11.1 that sends out the icmp redirect.
Btw, it seems you should fix your routing (by adding sydrt01's eth0
the second ip or advertising 192.168.11.10 more) to avoid those
redirects.
>
> I had a quick look at the kernel tree for 2.6.31 (which is what I am
> using).
...
> Line 680
> secure_redirects - BOOLEAN
> 681 Accept ICMP redirect messages only for gateways,
> 682 listed in default gateway list.
> 683 secure_redirects for the interface will be enabled if at
> least one of
> 684 conf/{all,interface}/secure_redirects is set to TRUE,
> 685 it will be disabled otherwise
> 686 default TRUE
Very helpful links. So, as you wrote "the documentation seems to suggest"
something, and IMHO even if it doesn't, it's needlessly too concise
considering your "lost time", and I'd suggest you sending a patch to fix
this. (It seems it could "touch" shared_media, as well.)
Thanks,
Jarek P.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: icmp redirects problem
2009-11-23 21:58 ` Jarek Poplawski
@ 2009-11-24 0:12 ` Alex Samad
2009-11-24 7:58 ` Jarek Poplawski
0 siblings, 1 reply; 4+ messages in thread
From: Alex Samad @ 2009-11-24 0:12 UTC (permalink / raw)
To: Jarek Poplawski; +Cc: netdev
[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]
On Mon, Nov 23, 2009 at 10:58:38PM +0100, Jarek Poplawski wrote:
> Alex Samad wrote, On 11/23/2009 05:31 AM:
>
[snip]
> >
> > laptop gets its ip from dchp server that make 192.168.11.1 the default
> > gateway and its 192.168.11.1 that sends out the icmp redirect.
>
> Btw, it seems you should fix your routing (by adding sydrt01's eth0
> the second ip or advertising 192.168.11.10 more) to avoid those
> redirects.
sorry I am lost on this statement, I can't add 192.168.11.10 to sydrt01
as it is not physically connected to the 192.168.10.0/24 any more, which
is why I had added the route on sydrt01 and which is why it send
icmp_rediercts.
I have updated the route table on each static machine, but the problem
is on the machines that get their ip via dhcp - I haven't looked at
pushing out route information via dhcp - I am not sure that it would
work in a mixed windows / linux environment.
what do you mean by advertising 192.168.11.10 more ?
>
> >
> > I had a quick look at the kernel tree for 2.6.31 (which is what I am
> > using).
>
> ...
>
> > Line 680
> > secure_redirects - BOOLEAN
> > 681 Accept ICMP redirect messages only for gateways,
> > 682 listed in default gateway list.
> > 683 secure_redirects for the interface will be enabled if at
> > least one of
> > 684 conf/{all,interface}/secure_redirects is set to TRUE,
> > 685 it will be disabled otherwise
> > 686 default TRUE
>
> Very helpful links. So, as you wrote "the documentation seems to suggest"
> something, and IMHO even if it doesn't, it's needlessly too concise
> considering your "lost time", and I'd suggest you sending a patch to fix
> this. (It seems it could "touch" shared_media, as well.)
Which is wrong the code or the documentation and which part the test or
the reliance on the shared_media or on the redirects flags
>
> Thanks,
> Jarek P.
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: icmp redirects problem
2009-11-24 0:12 ` Alex Samad
@ 2009-11-24 7:58 ` Jarek Poplawski
0 siblings, 0 replies; 4+ messages in thread
From: Jarek Poplawski @ 2009-11-24 7:58 UTC (permalink / raw)
To: Alex Samad; +Cc: netdev
On Tue, Nov 24, 2009 at 11:12:30AM +1100, Alex Samad wrote:
> On Mon, Nov 23, 2009 at 10:58:38PM +0100, Jarek Poplawski wrote:
> > Alex Samad wrote, On 11/23/2009 05:31 AM:
> >
>
> [snip]
>
> > >
> > > laptop gets its ip from dchp server that make 192.168.11.1 the default
> > > gateway and its 192.168.11.1 that sends out the icmp redirect.
> >
> > Btw, it seems you should fix your routing (by adding sydrt01's eth0
> > the second ip or advertising 192.168.11.10 more) to avoid those
> > redirects.
>
> sorry I am lost on this statement, I can't add 192.168.11.10 to sydrt01
> as it is not physically connected to the 192.168.10.0/24 any more, which
> is why I had added the route on sydrt01 and which is why it send
> icmp_rediercts.
>
> I have updated the route table on each static machine, but the problem
> is on the machines that get their ip via dhcp - I haven't looked at
> pushing out route information via dhcp - I am not sure that it would
> work in a mixed windows / linux environment.
>
> what do you mean by advertising 192.168.11.10 more ?
I meant just what you've described, but wasn't sure of your config.
>
> >
> > >
> > > I had a quick look at the kernel tree for 2.6.31 (which is what I am
> > > using).
> >
> > ...
> >
> > > Line 680
> > > secure_redirects - BOOLEAN
> > > 681 Accept ICMP redirect messages only for gateways,
> > > 682 listed in default gateway list.
> > > 683 secure_redirects for the interface will be enabled if at
> > > least one of
> > > 684 conf/{all,interface}/secure_redirects is set to TRUE,
> > > 685 it will be disabled otherwise
> > > 686 default TRUE
> >
> > Very helpful links. So, as you wrote "the documentation seems to suggest"
> > something, and IMHO even if it doesn't, it's needlessly too concise
> > considering your "lost time", and I'd suggest you sending a patch to fix
> > this. (It seems it could "touch" shared_media, as well.)
>
> Which is wrong the code or the documentation and which part the test or
> the reliance on the shared_media or on the redirects flags
The code looks consistent to me. The documentation isn't wrong either,
until it only "seems to suggest", but it might be better, if it
metioned just what you tested: both things depend on accept_redirects.
Jarek P.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-11-24 7:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-23 4:31 icmp redirects problem Alex Samad
2009-11-23 21:58 ` Jarek Poplawski
2009-11-24 0:12 ` Alex Samad
2009-11-24 7:58 ` Jarek Poplawski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).