16 Apr
2019
16 Apr
'19
11:15 a.m.
Hello,
To all amprd users (this does not affect setups using the kernel tunnel
driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system
replying with "icmp unreachable" to incoming IPIP traffic.
This will possible drop incoming traffic, including the RIP broadcasts
(resulting in incomplete route tables).
Please switch to an ampr-ripd setup or filter outgoing icmp messages on
your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable
-m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
16 Apr
16 Apr
12:12 p.m.
I would replace DROP by REJECT. DROP means the system will wait till the packet times out.
For outgoing connections this may cause issues as the daemon that sends the unreachable
will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu
<marius(a)yo2loj.ro> wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and
ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with
"icmp unreachable" to incoming IPIP traffic.
This will possible drop incoming traffic, including the RIP broadcasts (resulting in
incomplete route tables).
Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN
interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state
RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
4:33 p.m.
Reject is exactly what we try to do. To PREVENT the system from sending
out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the system
will wait till the packet times out.
For outgoing connections this may cause issues as the daemon that sends the unreachable
will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu
<marius(a)yo2loj.ro> wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and
ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with
"icmp unreachable" to incoming IPIP traffic.
This will possible drop incoming traffic, including the RIP broadcasts (resulting in
incomplete route tables).
Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN
interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state
RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
4:39 p.m.
Correction, let me rephrase:
Reject is what we don't want. It is about preventing outgoing ICMP as a
response to incoming IPIP packets.
That's why that drop is on the output chain and is "related" to the IPIP.
It is not for outgoing connects, but for responses to incoming ones.
FYI: I managed to solve the issue by writing a loadable netfilter kernel
module that transforms the IPIP protocol to protocol 94 and back. This
allows ripd to run as expected, without "unreachable" messages.
I am testing now...
Marius, YO2LOJ
On 16.04.2019 23:33, Marius Petrescu wrote:
Reject is exactly what we try to do. To PREVENT the
system from
sending out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the
system will wait till
the packet times out.
For outgoing connections this may cause issues as the daemon that
sends the unreachable will also wait till the packet times out before
continuing
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net On 16 Apr 2019, at 17:17, Marius Petrescu
<marius(a)yo2loj.ro> wrote:
Hello,
To all amprd users (this does not affect setups using the kernel
tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system
replying with "icmp unreachable" to incoming IPIP traffic.
This will possible drop incoming traffic, including the RIP
broadcasts (resulting in incomplete route tables).
Please switch to an ampr-ripd setup or filter outgoing icmp messages
on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type
destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
2139
days inactive
2139
days old
3 comments
2 participants
participants (2)
-
Marius Petrescu -
Ruben ON3RVH