• Paolo Abeni's avatar
    ipv4/icmp: redirect messages can use the ingress daddr as source · e2ca690b
    Paolo Abeni authored
    This patch allows configuring how the source address of ICMP
    redirect messages is selected; by default the old behaviour is
    retained, while setting icmp_redirects_use_orig_daddr force the
    usage of the destination address of the packet that caused the
    redirect.
    
    The new behaviour fits closely the RFC 5798 section 8.1.1, and fix the
    following scenario:
    
    Two machines are set up with VRRP to act as routers out of a subnet,
    they have IPs x.x.x.1/24 and x.x.x.2/24, with VRRP holding on to
    x.x.x.254/24.
    
    If a host in said subnet needs to get an ICMP redirect from the VRRP
    router, i.e. to reach a destination behind a different gateway, the
    source IP in the ICMP redirect is chosen as the primary IP on the
    interface that the packet arrived at, i.e. x.x.x.1 or x.x.x.2.
    
    The host will then ignore said redirect, due to RFC 1122 section 3.2.2.2,
    and will continue to use the wrong next-op.
    Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    e2ca690b
ip-sysctl.txt 69.6 KB