From e2ca690b657f4ca5c204fcc6470d462b776d73b3 Mon Sep 17 00:00:00 2001 From: Paolo Abeni Date: Fri, 9 Oct 2015 14:34:31 +0200 Subject: ipv4/icmp: redirect messages can use the ingress daddr as source This patch allows configuring how the source address of ICMP redirect messages is selected; by default the old behaviour is retained, while setting icmp_redirects_use_orig_daddr force the usage of the destination address of the packet that caused the redirect. The new behaviour fits closely the RFC 5798 section 8.1.1, and fix the following scenario: Two machines are set up with VRRP to act as routers out of a subnet, they have IPs x.x.x.1/24 and x.x.x.2/24, with VRRP holding on to x.x.x.254/24. If a host in said subnet needs to get an ICMP redirect from the VRRP router, i.e. to reach a destination behind a different gateway, the source IP in the ICMP redirect is chosen as the primary IP on the interface that the packet arrived at, i.e. x.x.x.1 or x.x.x.2. The host will then ignore said redirect, due to RFC 1122 section 3.2.2.2, and will continue to use the wrong next-op. Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller --- Documentation/networking/ip-sysctl.txt | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'Documentation/networking') diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ebe94f2cab98..99838259e2e6 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -884,8 +884,8 @@ icmp_ignore_bogus_error_responses - BOOLEAN icmp_errors_use_inbound_ifaddr - BOOLEAN - If zero, icmp error messages are sent with the primary address of - the exiting interface. + If zero, icmp error messages except redirects are sent with the primary + address of the exiting interface. If non-zero, the message will be sent with the primary address of the interface that received the packet that caused the icmp error. @@ -897,8 +897,23 @@ icmp_errors_use_inbound_ifaddr - BOOLEAN then the primary address of the first non-loopback interface that has one will be used regardless of this setting. + The source address selection of icmp redirect messages is controlled by + icmp_errors_use_inbound_ifaddr. Default: 0 +icmp_redirects_use_orig_daddr - BOOLEAN + + If zero, icmp redirect messages are sent using the address specified for + other icmp errors by icmp_errors_use_inbound_ifaddr. + + If non-zero, the message will be sent with the destination address of + the packet that caused the icmp redirect. + This behaviour is the preferred one on VRRP routers (see RFC 5798 + section 8.1.1). + + Default: 0 + + igmp_max_memberships - INTEGER Change the maximum number of multicast groups we can subscribe to. Default: 20 -- cgit v1.2.3