ICMP redirect packets: not accepted (RedHat 4.0)

ICMP redirect packets: not accepted (RedHat 4.0)

Post by Andrei Maslenniko » Sat, 01 Mar 1997 04:00:00



We have a guest Linux box running RedHat 4.0 on a busy network of a large
organization. It perfectly works, but their netadmin complains that our
machine is not reacting correctly to ICMP redirect packets, thus
overloading their default gateway, his message follows:

------
..From this system you are accessing some other systems which are not on
the same IP network as you are. You do this by sending the initial
packets via our default gateway (CGATE1, IP address xxx.yyy.iii.jjj).

What then happens is that CGATE1 sends you an information packet, which
is known as an ICMP redirect, and which tells you how to get to the
particular end system to which you want to communicate.

It seems that for some reason your system is not accepting this redirect
information, but is instead continuing to talk via CGATE1. This not only
slows down your communication data rate but also puts a heavy load on
our gateway system.

We would be grateful if you would check out your system configuration.
-------

At the first glance, the "netstat -r" command does not display any learned
routes, only the default one (so every network activity outside that
machine's network indeed goes through the main gateway). On the same cable
we have an RS6000 machine, where "netstat -r" shows a lot of entries
in the rooting table, with a flag UGHD (not a single entry of this type
in the routing table of the Linux box in question). We first thought that
the problem is due to the fact that machine had ip forwarding built-in in
the kernel (default RedHat 4.0), but disabling it with:
"ipfwadm -F -p deny" did not help.

We would greatly appreciate if somebody on this group could comment on
this particular situation.

Andrei.

____________________________________________________________________________
Andrei Maslennikov                                  phone : +39   6 4463354
CASPUR Inter-Univ. Computing Consortium and INFN    GSM   : +39 335 6214776
c/o Universita' "La Sapienza", 00185 Rome, Italy    fax   : +39   6 4957083

 
 
 

ICMP redirect packets: not accepted (RedHat 4.0)

Post by Dave Pla » Tue, 04 Mar 1997 04:00:00


Quote:>We have a guest Linux box running RedHat 4.0 on a busy network of a large
>organization. It perfectly works, but their netadmin complains that our
>machine is not reacting correctly to ICMP redirect packets, thus
>overloading their default gateway, his message follows:

>------
>..From this system you are accessing some other systems which are not on
>the same IP network as you are. You do this by sending the initial
>packets via our default gateway (CGATE1, IP address xxx.yyy.iii.jjj).

>What then happens is that CGATE1 sends you an information packet, which
>is known as an ICMP redirect, and which tells you how to get to the
>particular end system to which you want to communicate.

>It seems that for some reason your system is not accepting this redirect
>information, but is instead continuing to talk via CGATE1. This not only
>slows down your communication data rate but also puts a heavy load on
>our gateway system.

>We would be grateful if you would check out your system configuration.

I've seen this sort of situation under the following conditions:

[1] You're hooked to a physical network which has two or more
    different IP-networks associated with it.  For example, you might
    have an Ethernet which has 204.82.38.xx and 206.86.145.xx running
    on the same wire.

[2] Your system is assigned an address on one of these networks (e.g.
    204.182.38.200), and knows of the default gateway (e.g.
    204.182.38.254).

[3] Your system does NOT have a secondary address (e.g. on
    206.86.145), and isn't "aware" that there's a second network
    number running on the wire it's connected to.

[4] You try to send a packet to some network which isn't on the same
    Ethernet (e.g. 206.99.88.32)

[5] Your packet is sent by Linux to the default gateway.

[6] The default gateway "knows" that the packet should be forwarded to
    a gateway which is on the second IP network on your Ethernet...
    e.g. to a gateway at 206.86.145.15)

[7] The default gateway forwards the packet.  It also sends an ICMP
    Redirect to your system, saying "Hey, to reach network
    206.99.88.32, send the packet to the gateway at 206.86.145.15".

[8] Your Linux system receives the ICMP Redirect packet.  It tries to
    add a route to its routing tables to honor the ICMP redirect.
    However, it can't find a route to the specified gateway, other
    than the route to the default gateway, because it doesn't "know"
    that it can transmit a packet directly to 206.86.145.15 by
    transmitting on its Ethernet interface.

The net result is that your Linux machine ends up logging a lot of
ICMP redirect messages, can't act on them, and both network and system
performance suffer.

What I'd suggest, as a fix for this, is a relatively simple thing.  At
boot time, use the "route" command to install static routes to ALL of
the IP networks on your Ethernet, specifying "eth0" as the device.  In
Slackware, you'd edit your /etc/rc.d/rc.inet1 file - look for the
section which configures your eth0 interface and installs the primary
and default routes, and add the following sorts of lines after that
point:

  /sbin/route add -net 206.86.145.0 netmask 255.255.255.0 dev eth0

Add one such line for each IP network number which runs on your
Ethernet (your site admin can give you the list).

Doing this will inform your Linux kernel that it can "reach" any
machine on any of those directly-connected IP networks by simply
transmitting on eth0... that it doesn't have to go through a gateway.

Once you've done this, I believe that your system will be able to
respond to ICMP Redirect messages which specify gateways that are
connected to your Ethernet but are on different IP network numbers.

--
Dave Platt                                        Speaker-to-kernels

Visit the Jade Warrior home page:  http://iq.navio.com/jade-warrior/

 
 
 

1. ICMP redirect packets, how to stop Linux from issueing

Hi everybody,

I run a DEC Alpha (kindly donated by Digital btw, possible because no
licenses were required when running Linux!!) and would like to use it to
account for our internet usage on my subnet.

I have a subnet with on it several computers which I wish to route via the
server so I can account for their usage. What I'm trying is this:

kronig, a Win95 computer has vvtp (the server) as default router.
vvtp has a single Ethernet card and serves as a firewall, installed as
follows:

        ipfwadm -Ip deny, ipfwadm -Op deny, ipfwadm -Fp deny
        ipfwadm -{I,O,P}i accept -ob

This (in theory) allows me to monitor all packets sent by kronig, which my
computer then forwards to the subnets default gateway.

However, this is where Linux 2.1.43 pulls a fast one on me. It (correctly)
notes that kronig and the default gateway are on the same wire, and sends a
ICMP/5 redirect packet. While I admire this, it's not what I want right now
:-) This redirect causes kronig to send all its packets directly to the
gateway, thereby bypassing my accounting.

I've tried to disable RFC1620 redirects (echo 0 >
/proc/sys/net/ipv4/ip_rfc1620_redirects, and echo 2 as well), but this
doesn't help, Linux still sends its redirect packets.

Is there a way to circumvent this, besides adding a second ethernet card? I
know I double the network load this way, but when I take into account the
amounts of surfing done by the computers I wish to administer, this is
negligable compared to other traffic on the subnet.

I'd like to avoid solutions involving tcpdump as I'm not sure I'd catch all
packets sent.

Thanks for your time, and a great big thanks to everybody contributing to
the further development of Linux.

--
            Delft University of Technology, department of Physics
    Phone: +31-15-2786122 / Lorentzweg 1, 2628 CJ, Delft, The Netherlands

                      Inspice et cautus eris - D11T'95

2. Apache CGI redirect

3. I get thousands of ICMP Redirect packets

4. the window is too large for my screen ...help

5. Linux is not sending ICMP redirects

6. Linux and big hard drive >8go

7. Strange ICMP redirect messages with 2.0.31/32, but not 2.0.30

8. 2.4.20-aa1+glibc-2.3.1: AT_PLATFORM on PIV ?

9. Kernel does not detect UDP/ICMP packets

10. my linux does not accept redirects

11. port redirect not accepted?

12. packet filtering under RedHat 4.0 ?

13. redirecting a range of ports with packet filter not possible?