[OLSR-users] ICMP Redirects

Sven-Ola Tuecke (spam-protected)
Mon Aug 22 17:39:33 CEST 2005


Andreas,

.../all/send_redirects is the global overwrite and it is useless to set 
../[iface]/send_redirects, if the overwrite is still on. If someone has 
*really* a network depending on send_redirects (say: some dumb clients 
adapting their routing table to this kind of ICMP messages) he may enable 
the particular interface manually.

N.B: ICMP redircect is uncommon these days, since everybody on the internet 
may send spoofing ICMPs to manage someone else routing table without 
authentication. So everybody has "accept ICMP redirects" off for sure...

LG, Sven-Ola

"Andreas "Tønnesen"" <(spam-protected)> schrieb im Newsbeitrag 
news:(spam-protected)
>
>
> The reason we do not use "all" is that one might
> be using devices where olsrd was only supposed
> to run on a subset of the interfaces. In such cases
> I think it is a bad thing for olsrd to set common
> configuration for all interfaces... but perhaps
> pr. interface settings are not working in all scenarioes?
>
> Could somebody who is seeing this problem check the
> content of the proc file after starting olsrd and
> after the ICMP redirects start showing up? Perhaps some
> other entity is manipulating the procfiles...
>
> - Andreas
>
>
>> Hey,
>>
>> whats missing is here:
>>
>> echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
>>
>> LG, Sven-Ola
>>
>> ""Andreas Tønnesen"" <(spam-protected)> schrieb im Newsbeitrag
>> news:(spam-protected)
>>> Maik,
>>>
>>> I still don't see why olsrd should not disable redirects on your Linux
>>> box... olsrd will write messages in the daemon log. The exact file
>>> system dependent I AFAIK. On debian it is /var/log/daemon.log. Mine
>>> looks like this after starting and stopping olsrd:
>>>
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "1" to
>>> /proc/sys/net/ipv4/ip_forward
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Could not read APM info - setting
>>> default willingness(3)
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>> /proc/sys/net/ipv4/conf/eth0/rp_filter
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>> /proc/sys/net/ipv4/conf/eth0/send_redirects
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Adding interface eth0
>>> Aug 21 22:39:00 gandalf olsrd[2513]: New main address: 192.168.0.10
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>> /proc/sys/net/ipv4/conf/eth1/rp_filter
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>> /proc/sys/net/ipv4/conf/eth1/send_redirects
>>> Aug 21 22:39:00 gandalf olsrd[2513]: Adding interface eth1
>>> Aug 21 22:39:00 gandalf olsrd[2513]: olsr.org - 0.4.10-pre successfully
>>> started
>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>> /proc/sys/net/ipv4/ip_forward to 0
>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>> /proc/sys/net/ipv4/conf/eth1/send_redirects to 1
>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>> /proc/sys/net/ipv4/conf/eth1/rp_filter to 1
>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>> /proc/sys/net/ipv4/conf/eth0/send_redirects to 1
>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>> /proc/sys/net/ipv4/conf/eth0/rp_filter to 1
>>> Aug 21 22:39:01 gandalf olsrd[2513]: olsr.org - 0.4.10-pre stopped
>>> g
>>>
>>>
>>> Does your log indicate that there was an error disableng redirects?
>>>
>>> - Andreas
>>>
>>>
>>> Andreas Tønnesen wrote:
>>>> ICMP redirects should under Linux be disabled by the call to
>>>> disable_redirects from the interface init function in src/unix/ifnet.c
>>>> I will investigate and fix this when I get back home(I only have access
>>>> to
>>>> an old win98 box where I am now ;) )
>>>>
>>>> - Andreas
>>>>
>>>>
>>>>>I just observed the same issue under Linux. A quick review of the code
>>>>>indicates that the redirects are not being disabled under Linux, even
>>>>>though the code to do so exists... it just isn't ever called (unless I
>>>>>missed something!) Under Win32, there is a call made to disable
>>>>>redirects. Apparently, linux will issue a redirect if it forwards a
>>>>>packet out the same interface on which it was received (which is always
>>>>>the case with a transit node in a MANET.)
>>>>>
>>>>>I turn off the redirects manually under Linux; they add a lot of extra
>>>>>traffic that otherwise hurts the network. In a MANET, you usually can't
>>>>>make any assumptions about the reachability of a node from another
>>>>>node's perspective, and so the redirect is hardly ever (never?) a good
>>>>>idea. I have a simple script that kills the redirects and starts olsrd
>>>>>in one shot.
>>>>>
>>>>>echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
>>>>>
>>>>>Best,
>>>>>Mike
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: (spam-protected)
>>>>>>[mailto:(spam-protected)] On Behalf Of Holger Mauermann
>>>>>>Sent: Sunday, July 03, 2005 9:37 AM
>>>>>>To: (spam-protected)
>>>>>>Subject: [OLSR-users] ICMP Redirects
>>>>>>
>>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>I just noticed that my nodes still send out ICMP redirects,
>>>>>>even if it is disabled by olsrd on startup.
>>>>>>
>>>>>>cat /proc/sys/net/ipv4/conf/eth1/send_redirects shows 0 on
>>>>>>all nodes, but tcpdump captures lots of redirects:
>>>>>>
>>>>>>15:15:00.068250 IP ...6 > ...1: icmp 177: redirect ...4 to
>>>>>>host ...4 15:15:00.107527 IP ...6 > ...4: icmp 129: redirect
>>>>>>...1 to host ...1 15:15:00.934280 IP ...2 > ...7: icmp 89:
>>>>>>redirect ...1 to host ...1 15:15:04.742682 IP ...2 > ...4:
>>>>>>icmp 113: redirect ...1 to host ...1
>>>>>>
>>>>>>4 can't see 1, so 4 has a route to 1 via 6 and 1 has a route
>>>>>>to 4 via 6. However, 6 sends back to 1 that it should try 4
>>>>>>directly and to 4 that it should try 1 directly... Can this
>>>>>>lead to problems? Should I ignore this or is it better to
>>>>>>block this ICMP type with the firewall?
>>>>>>
>>>>>>
>>>>>>--
>>>>>>\-- Holger Mauermann
>>>>>> \-- (spam-protected)
>>>>>>  \-- PGP Key Id: 0x8EA8C301
>>>>>>_______________________________________________
>>>>>>olsr-users mailing list
>>>>>>(spam-protected) https://www.olsr.org/mailman/listinfo/olsr-users
>>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>olsr-users mailing list
>>>>>(spam-protected)
>>>>>https://www.olsr.org/mailman/listinfo/olsr-users
>>>>>
>>>>
>>>>
>>>>
>>>> ---------
>>>> Andreas Tønnesen
>>>> http://www.olsr.org
>>>> _______________________________________________
>>>> olsr-users mailing list
>>>> (spam-protected)
>>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>>
>>> --
>>> Andreas Tønnesen
>>> http://www.olsr.org
>>> _______________________________________________
>>> olsr-users mailing list
>>> (spam-protected)
>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>
>> _______________________________________________
>> olsr-users mailing list
>> (spam-protected)
>> https://www.olsr.org/mailman/listinfo/olsr-users
>>
>
>
> ---------
> Andreas Tønnesen
> http://www.olsr.org
> _______________________________________________
> olsr-users mailing list
> (spam-protected)
> https://www.olsr.org/mailman/listinfo/olsr-users 




More information about the Olsr-users mailing list