Hi,
I have the following setup:
HOST-----GW1-----LINUX BOX-----DEFAULT GW
Where HOST and the LINUX BOX are on two different subnets and the
Linux box has only a default route directing it to the DGW.
If I ping from the Linux box to the host, the echo request is sent to
the default gw which sends a redirect packet towards GW1 and the ping
works ok.
The problem is when I try to ping from the host to the Linux box, it
does receives the echo request and sends the reply to the DGW which
again sends a redirect packet but this time the redirect packet is
ignored by the Linux box.
I traced the packet all the way to ip_nat_fn(), and saw that it's
dropped by the following code:
if (!ct) {
/* Exception: ICMP redirect to new connection (not in
hash table yet). We must not let this through, in
case we're doing NAT to the same network. */
struct iphdr *iph = (*pskb)->nh.iph;
struct icmphdr *hdr = (struct icmphdr *)
((u_int32_t *)iph + iph->ihl);
if (iph->protocol == IPPROTO_ICMP
&& hdr->type == ICMP_REDIRECT)
return NF_DROP;
return NF_ACCEPT;
}
So I assume when the echo reply is sent the relevant conntrack entry
is deleted so when the redirect packet is received, there's no
matching entry and the packet is dropped.
My question is if I am not using NAT, can I safely remove this check?
Or is there a better solution that will work even when NAT is used?
I tested it on kernel 2.4.33.3, but I saw that in 2.6.21 there's a similar code.
Thanks,
Lior.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
