[OLSR-users] ICMP Redirects

Andreas Tønnesen (spam-protected)
Mon Aug 22 19:07:52 CEST 2005 

SvenOla,

ahhh... so a "1" in all overrides the pr. interface setting?
I guess we'll go for changing the all proc file then :)
Thanks.

- Andreas


Sven-Ola Tuecke wrote:
> Andreas,
> 
> .../all/send_redirects is the global overwrite and it is useless to set 
> ../[iface]/send_redirects, if the overwrite is still on. If someone has 
> *really* a network depending on send_redirects (say: some dumb clients 
> adapting their routing table to this kind of ICMP messages) he may 
> enable the particular interface manually.
> 
> N.B: ICMP redircect is uncommon these days, since everybody on the 
> internet may send spoofing ICMPs to manage someone else routing table 
> without authentication. So everybody has "accept ICMP redirects" off for 
> sure...
> 
> LG, Sven-Ola
> 
> "Andreas "Tønnesen"" <(spam-protected)> schrieb im Newsbeitrag 
> news:(spam-protected)
> 
>>
>>
>> The reason we do not use "all" is that one might
>> be using devices where olsrd was only supposed
>> to run on a subset of the interfaces. In such cases
>> I think it is a bad thing for olsrd to set common
>> configuration for all interfaces... but perhaps
>> pr. interface settings are not working in all scenarioes?
>>
>> Could somebody who is seeing this problem check the
>> content of the proc file after starting olsrd and
>> after the ICMP redirects start showing up? Perhaps some
>> other entity is manipulating the procfiles...
>>
>> - Andreas
>>
>>
>>> Hey,
>>>
>>> whats missing is here:
>>>
>>> echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
>>>
>>> LG, Sven-Ola
>>>
>>> ""Andreas Tønnesen"" <(spam-protected)> schrieb im Newsbeitrag
>>> news:(spam-protected)
>>>
>>>> Maik,
>>>>
>>>> I still don't see why olsrd should not disable redirects on your Linux
>>>> box... olsrd will write messages in the daemon log. The exact file
>>>> system dependent I AFAIK. On debian it is /var/log/daemon.log. Mine
>>>> looks like this after starting and stopping olsrd:
>>>>
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "1" to
>>>> /proc/sys/net/ipv4/ip_forward
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Could not read APM info - setting
>>>> default willingness(3)
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>>> /proc/sys/net/ipv4/conf/eth0/rp_filter
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>>> /proc/sys/net/ipv4/conf/eth0/send_redirects
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Adding interface eth0
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: New main address: 192.168.0.10
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>>> /proc/sys/net/ipv4/conf/eth1/rp_filter
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Writing "0" to
>>>> /proc/sys/net/ipv4/conf/eth1/send_redirects
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: Adding interface eth1
>>>> Aug 21 22:39:00 gandalf olsrd[2513]: olsr.org - 0.4.10-pre successfully
>>>> started
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>>> /proc/sys/net/ipv4/ip_forward to 0
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>>> /proc/sys/net/ipv4/conf/eth1/send_redirects to 1
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>>> /proc/sys/net/ipv4/conf/eth1/rp_filter to 1
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>>> /proc/sys/net/ipv4/conf/eth0/send_redirects to 1
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: Resetting
>>>> /proc/sys/net/ipv4/conf/eth0/rp_filter to 1
>>>> Aug 21 22:39:01 gandalf olsrd[2513]: olsr.org - 0.4.10-pre stopped
>>>> g
>>>>
>>>>
>>>> Does your log indicate that there was an error disableng redirects?
>>>>
>>>> - Andreas
>>>>
>>>>
>>>> Andreas Tønnesen wrote:
>>>>
>>>>> ICMP redirects should under Linux be disabled by the call to
>>>>> disable_redirects from the interface init function in src/unix/ifnet.c
>>>>> I will investigate and fix this when I get back home(I only have 
>>>>> access
>>>>> to
>>>>> an old win98 box where I am now ;) )
>>>>>
>>>>> - Andreas
>>>>>
>>>>>
>>>>>> I just observed the same issue under Linux. A quick review of the 
>>>>>> code
>>>>>> indicates that the redirects are not being disabled under Linux, even
>>>>>> though the code to do so exists... it just isn't ever called 
>>>>>> (unless I
>>>>>> missed something!) Under Win32, there is a call made to disable
>>>>>> redirects. Apparently, linux will issue a redirect if it forwards a
>>>>>> packet out the same interface on which it was received (which is 
>>>>>> always
>>>>>> the case with a transit node in a MANET.)
>>>>>>
>>>>>> I turn off the redirects manually under Linux; they add a lot of 
>>>>>> extra
>>>>>> traffic that otherwise hurts the network. In a MANET, you usually 
>>>>>> can't
>>>>>> make any assumptions about the reachability of a node from another
>>>>>> node's perspective, and so the redirect is hardly ever (never?) a 
>>>>>> good
>>>>>> idea. I have a simple script that kills the redirects and starts 
>>>>>> olsrd
>>>>>> in one shot.
>>>>>>
>>>>>> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
>>>>>>
>>>>>> Best,
>>>>>> Mike
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: (spam-protected)
>>>>>>> [mailto:(spam-protected)] On Behalf Of Holger Mauermann
>>>>>>> Sent: Sunday, July 03, 2005 9:37 AM
>>>>>>> To: (spam-protected)
>>>>>>> Subject: [OLSR-users] ICMP Redirects
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I just noticed that my nodes still send out ICMP redirects,
>>>>>>> even if it is disabled by olsrd on startup.
>>>>>>>
>>>>>>> cat /proc/sys/net/ipv4/conf/eth1/send_redirects shows 0 on
>>>>>>> all nodes, but tcpdump captures lots of redirects:
>>>>>>>
>>>>>>> 15:15:00.068250 IP ...6 > ...1: icmp 177: redirect ...4 to
>>>>>>> host ...4 15:15:00.107527 IP ...6 > ...4: icmp 129: redirect
>>>>>>> ...1 to host ...1 15:15:00.934280 IP ...2 > ...7: icmp 89:
>>>>>>> redirect ...1 to host ...1 15:15:04.742682 IP ...2 > ...4:
>>>>>>> icmp 113: redirect ...1 to host ...1
>>>>>>>
>>>>>>> 4 can't see 1, so 4 has a route to 1 via 6 and 1 has a route
>>>>>>> to 4 via 6. However, 6 sends back to 1 that it should try 4
>>>>>>> directly and to 4 that it should try 1 directly... Can this
>>>>>>> lead to problems? Should I ignore this or is it better to
>>>>>>> block this ICMP type with the firewall?
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> \-- Holger Mauermann
>>>>>>> \-- (spam-protected)
>>>>>>>  \-- PGP Key Id: 0x8EA8C301
>>>>>>> _______________________________________________
>>>>>>> olsr-users mailing list
>>>>>>> (spam-protected) https://www.olsr.org/mailman/listinfo/olsr-users
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> olsr-users mailing list
>>>>>> (spam-protected)
>>>>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------
>>>>> Andreas Tønnesen
>>>>> http://www.olsr.org
>>>>> _______________________________________________
>>>>> olsr-users mailing list
>>>>> (spam-protected)
>>>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>>>
>>>>
>>>> -- 
>>>> Andreas Tønnesen
>>>> http://www.olsr.org
>>>> _______________________________________________
>>>> olsr-users mailing list
>>>> (spam-protected)
>>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>>
>>>
>>> _______________________________________________
>>> olsr-users mailing list
>>> (spam-protected)
>>> https://www.olsr.org/mailman/listinfo/olsr-users
>>>
>>
>>
>> ---------
>> Andreas Tønnesen
>> http://www.olsr.org
>> _______________________________________________
>> olsr-users mailing list
>> (spam-protected)
>> https://www.olsr.org/mailman/listinfo/olsr-users 
> 
> 
> _______________________________________________
> olsr-users mailing list
> (spam-protected)
> https://www.olsr.org/mailman/listinfo/olsr-users

-- 
Andreas Tønnesen
http://www.olsr.org

More information about the Olsr-users mailing list