Reject is exactly what we try to do. To PREVENT the system from sending out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the system will wait till the packet times out. For outgoing connections this may cause issues as the daemon that sends the unreachable will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu marius@yo2loj.ro wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with "icmp unreachable" to incoming IPIP traffic. This will possible drop incoming traffic, including the RIP broadcasts (resulting in incomplete route tables). Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net