ipv4/icmp: redirect messages can use the ingress daddr as source
This patch allows configuring how the source address of ICMP redirect messages is selected; by default the old behaviour is retained, while setting icmp_redirects_use_orig_daddr force the usage of the destination address of the packet that caused the redirect. The new behaviour fits closely the RFC 5798 section 8.1.1, and fix the following scenario: Two machines are set up with VRRP to act as routers out of a subnet, they have IPs x.x.x.1/24 and x.x.x.2/24, with VRRP holding on to x.x.x.254/24. If a host in said subnet needs to get an ICMP redirect from the VRRP router, i.e. to reach a destination behind a different gateway, the source IP in the ICMP redirect is chosen as the primary IP on the interface that the packet arrived at, i.e. x.x.x.1 or x.x.x.2. The host will then ignore said redirect, due to RFC 1122 section 3.2.2.2, and will continue to use the wrong next-op. Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Paolo Abeni
committed by
David S. Miller
David S. Miller
parent
0944d6b5a2
commit
e2ca690b65
@@ -74,6 +74,7 @@ struct netns_ipv4 {
|
||||
int sysctl_icmp_ratelimit;
|
||||
int sysctl_icmp_ratemask;
|
||||
int sysctl_icmp_errors_use_inbound_ifaddr;
|
||||
int sysctl_icmp_redirects_use_orig_daddr;
|
||||
|
||||
struct local_ports ip_local_ports;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user