Hi, Firstly I'd like to say you have an interesting use case. >An example seems to be to cause a name lookup via dnsmasq. For whatever >reason this does two simultaneous dns requests to both configured dns >servers. One reply comes back slightly quicker than the other and the >slower reply appears to cause a local ICMP unreachable response to be >generated. Everything is logged *except* the data for the ICMP >unreachable response? You should consider disabling icmp responses: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ... and/or limiting/disabling unreachable responses: echo 1 > /proc/sys/net/ipv4/icmp_ratelimit Agressive ratelimiting will cause your router as a hop in traceroute to show near 100% loss, but other then that you'll save bandwidth. Best regards, Marek Kierdelewicz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
