16 Apr
2019
16 Apr
'19
3:39 p.m.
Correction, let me rephrase:
Reject is what we don't want. It is about preventing outgoing ICMP as a
response to incoming IPIP packets.
That's why that drop is on the output chain and is "related" to the IPIP.
It is not for outgoing connects, but for responses to incoming ones.
FYI: I managed to solve the issue by writing a loadable netfilter kernel
module that transforms the IPIP protocol to protocol 94 and back. This
allows ripd to run as expected, without "unreachable" messages.
I am testing now...
Marius, YO2LOJ
On 16.04.2019 23:33, Marius Petrescu wrote:
Reject is exactly what we try to do. To PREVENT the
system from
sending out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the
system will wait till
the packet times out.
For outgoing connections this may cause issues as the daemon that
sends the unreachable will also wait till the packet times out before
continuing
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net On 16 Apr 2019, at 17:17, Marius Petrescu
<marius(a)yo2loj.ro> wrote:
Hello,
To all amprd users (this does not affect setups using the kernel
tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system
replying with "icmp unreachable" to incoming IPIP traffic.
This will possible drop incoming traffic, including the RIP
broadcasts (resulting in incomplete route tables).
Please switch to an ampr-ripd setup or filter outgoing icmp messages
on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type
destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net