Re: Configure ICMP error source address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09.01.2016 17:41, Robert Sander wrote:

Hi,

Am 09.01.2016 um 10:57 schrieb Hannes Frederic Sowa:


I would also use dummy interfaces in production systems, merely to split
the statistics from dummy.


Thank you for discussing the merits of dummy interfaces. I will consider
your arguments. But unfortunately this did not answer my question.


Yes, I know. :) I tried to answer it in the other reply.


Let me rephrase it:

Is it a good idea to set a specific global IPv4 address as source
address for outgoing ICMP error messages?


Not sure if this generic enough.
So my idea was to have a specific routing table and ip rule you can install merely for selecting the source address of an icmp errors.
Not sure yet how complicated that is, it would require a match in the rule lookup logic to specifically use another routing table when the source address for an icmp packet is generated. We already supply the protocol in the flow4 information, maybe this can be used plus another input/flag in the flowi4 struct?
I can see situations were it is necessary to actually select the source address depending of the interface. 


Would it be OK to create a /proc/sys/net/ipv4/icmp_errors_source where
you could write an arbitrary IPv4 address into? And that would get used
as the source address of ICMP errors?

My questions did contain the loopback interface as I first thought it a
good source of a globally routable IPv4 address (at least in our case).

Secound thought: Instead of writing an IPv4 address to
/proc/sys/net/ipv4/icmp_errors_source write an interface name to that
file and take the first global IPv4 address from that interface as
source for ICMP errors. Then you could create a dummy interface for that
use case, too.
I am not a fan of such implicit assumptions. I would prefer the direct specification of the source ip address over writing interface information to a procfs file. 


Still: Is it a good idea to do so?
I agree, there should be a solution for this as this is a common setup for BGP routers. 

Bye,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux