> A -> B, A sends packet to R. R has a DNAT rule to redirect to C > (or redirect to R). > > If we let icmp redirect through, this won't work. Thank you very much for your response. I had previously encountered an issue with the correctness of the ip_rt_send_redirect function when the firewall was disabled. I overlooked the fact that the packet goes through DNAT in the PREROUTING chain before entering the ip_rt_send_redirect function. In my test environment, there were no DNAT policies, so I overlooked this scenario. Indeed, with the firewall enabled, DNAT rules will modify the destination IP address, and sending ICMP redirects in such cases can cause confusion. However, when the firewall is disabled, both SRC and DST remain unchanged, so the kernel can safely send ICMP redirects. Once again, thank you for your response. Best regards.
