Antony Antony wrote: > On Fri, Oct 27, 2023 at 09:30:07AM -0400, Michael Richardson via Devel > wrote: >> >> Antony Antony via Devel wrote: > When enabling >> support for xfrm lookup using reverse ICMP payload, > We have >> identified an issue where the source address of the IPv4 e.g > >> "Destination Host Unreachable" message is incorrect. The IPv6 appear > >> to do the right thing. >> >> One thing that operators of routers with a multitude of interfaces >> want to do is send all ICMP messages from a specific IP address. >> Often the public address, that has the sane reverse DNS name. > While it makes sense for routers with multiple interfaces, receiving > ICMP errors from private addresses can be confusing. However, wouldn't > this also make it more challenging to adhere to BCP 32 and BCP 38? > Routing with multiple interfaces is tricky on Linux, especially when it > comes to compliance with these BCPs. Yes, that's why sending from a public, topically significant source address is really important. Yet, many links are numbered in 1918 because.. > I wonder if a netfilter rule would be a solution for you, something > like: > I would love see a simple option instead of a SNAT hack. May be a > routing rule that will choose sourse address for ICMP error code. yeah, I really don't want to do SNAT stuff. I'd like to have a flag on each interface that says to use the "global" ICMP source or use the heuristic we have now. And then we need a way to set that source address. Most routing platforms put a /32 address (and /128) on lo (or a dummy) as the device's reachable address, and then spread that through OSPF.