From: Per Jessen <per@computer.org>
To: Lukas Tribus <luky-37@hotmail.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: missing icmp redirects
Date: Tue, 10 Jun 2014 20:10:23 +0200 [thread overview]
Message-ID: <53974A0F.7080908@computer.org> (raw)
In-Reply-To: <DUB123-W19EE656C7ECB42B9D05319ED6B0@phx.gbl>
Lukas Tribus wrote:
>> See complete description here:
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=72561
>>
>> Summary - some ICMP redirects seem to be missing.
>>
>> Alan suggests I gather some traces, but I'm am unsure of what to trace.
>> Suggestions please?
>
> Reproduce the actual issue and post a simplified testcase, without
> transparent proxying, etc.
Okay, I have devised a way to reproduce the problem:
I have a test setup of three machines:
“client”, “firewall” and “server”. All on the same network.
Client:
Set up default route via “firewall”.
Server:
Assign 10.232.1.1-2-3-4-...-15/24 to an interface.
Run a tcp echo service (port 7).
Firewall:
Create routing table “test99”. /etc/iproute2/rt_tables.
ip route add default via <server> dev eth0 table test99
ip rule add fwmark 5 table test99
iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 7 -j MARK --set-mark 5
(this setup is what will produce the ICMP redirects).
On “firewall”, run tcpdump to document (missing) redirects:
tcpdump -n -i eth0 proto \\icmp
On “client”, create some test input:
cat <<XXX >test.input
klop
alpha
nothing
tagi
line1
line2
line3
line4
XXX
Create a script
cat <<XXX >doit
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
telnet 10.232.1.$i 7 <test.input &
done
When you run “sh doit”, all of the telnet requests to 10.232.1.x should be
redirected, but the tcpdump running on "firewall" will only show some of them.
next prev parent reply other threads:[~2014-06-10 18:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 13:49 missing icmp redirects Per Jessen
2014-04-08 15:34 ` Lukas Tribus
2014-06-10 18:10 ` Per Jessen [this message]
2014-06-10 20:06 ` Dmitry Popov
2014-06-11 7:19 ` Per Jessen
2014-06-11 15:04 ` Dmitry Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53974A0F.7080908@computer.org \
--to=per@computer.org \
--cc=luky-37@hotmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).