[LARTC] Re: Routing that doesn't route

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

	Hello,

On Thu, 28 Feb 2002, Greg Scott wrote:

> > What is the value in /proc/sys/net/ipv4/conf/eth1/send_redirects ?
>
> [root@csfampls-fw /]# more /proc/sys/net/ipv4/conf/eth1/send_redirects
> 1

	This is one of the values you can try to alter. Try to set
both all/send_redirects and eth1/send_redirects to 0.

> > On each Linux try to check with
> > ip route get from <SADDR> to <DADDR> iif <IN_DEVICE>
>
> [root@csfampls-fw /]#
> [root@csfampls-fw /]# /sbin/ip route get from 172.16.16.2 to 172.16.0.252
> iif eth1
> 172.16.0.252 from 172.16.16.2 via 172.16.16.3 dev eth1  src 172.16.16.1
>     cache <src-direct,redirect>  mtu 1500 iif eth1

	OK, traffic is not dropped from rp_filter. But this box
should send ICMP redirects (note the "redirect" flag), i.e. it
redirects traffic from 16.2 to 0.252 through 16.3. If you try
with {all,eth1}/send_redirects=0 the traffic will be silently
accepted and then forwarded to 16.3.

> [root@csfampls-fw /]#
> [root@csfampls-fw /]# /sbin/ip route show
> aaa.bbb.228.32/27 dev eth0  proto kernel  scope link  src aaa.bbb.228.33
> ccc.ddd.200.64/27 via aaa.bbb.228.34 dev eth0
> 172.16.16.0/20 dev eth1  proto kernel  scope link  src 172.16.16.1

you are trying alternative routes which work only by using my patches,
the following can't work in plain kernel:

> 172.16.0.0/20 via 172.16.16.3 dev eth1
> 172.16.0.0/20 via 172.16.16.151 dev eth1

	Note also that the above routes should have a preferred
source IP. Avoid using the "route" tool in advanced routing setups.
Try with "ip":

ip route add 172.16.0.0/20 via 172.16.16.3 dev eth1 src 172.16.16.1

> 127.0.0.0/8 dev lo  scope link

same here, make sure all your routes have right preferred source IP:

> default via aaa.bbb.228.62 dev eth0

	In the other case you risk the kernel to select wrong IP address
for your originating or masqueraded traffic.

> [root@csfampls-fw /]#
>
> > One of the problems
> > could be the conf/DEV/rp_filter settings but I don't see why it should
> > drop the packets.
>
> How do I look at these and what are they?

/proc/sys/net/ipv4/conf/{all,eth1}/rp_filter

but it seems it's not a problem. Of course, try to set all them
to 0 for the test.

> Every setting I can think of so far looks good.  What am I
> missing????  Or is there a bug?  Note, this is happening in two completely
> unrelated places.  But it could be that I set up both places with the same
> mistake.

	If clearing all send_redirects and rp_filter flags to 0 and
using correct preferred source IP addresses does not help then you
hit a kernel bug. Try with recent kernel.

> thanks
>
> - Greg Scott

Regards

--
Julian Anastasov <ja@ssi.bg>
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux