Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with "icmp unreachable" to incoming IPIP traffic. This will possible drop incoming traffic, including the RIP broadcasts (resulting in incomplete route tables). Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
I would replace DROP by REJECT. DROP means the system will wait till the packet times out. For outgoing connections this may cause issues as the daemon that sends the unreachable will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu marius@yo2loj.ro wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with "icmp unreachable" to incoming IPIP traffic. This will possible drop incoming traffic, including the RIP broadcasts (resulting in incomplete route tables). Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Reject is exactly what we try to do. To PREVENT the system from sending out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the system will wait till the packet times out. For outgoing connections this may cause issues as the daemon that sends the unreachable will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu marius@yo2loj.ro wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with "icmp unreachable" to incoming IPIP traffic. This will possible drop incoming traffic, including the RIP broadcasts (resulting in incomplete route tables). Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Correction, let me rephrase: Reject is what we don't want. It is about preventing outgoing ICMP as a response to incoming IPIP packets. That's why that drop is on the output chain and is "related" to the IPIP.
It is not for outgoing connects, but for responses to incoming ones.
FYI: I managed to solve the issue by writing a loadable netfilter kernel module that transforms the IPIP protocol to protocol 94 and back. This allows ripd to run as expected, without "unreachable" messages. I am testing now...
Marius, YO2LOJ
On 16.04.2019 23:33, Marius Petrescu wrote:
Reject is exactly what we try to do. To PREVENT the system from sending out those ICMP packets.
If you put reject there, you are at square 1.
On 16.04.2019 19:12, Ruben ON3RVH wrote:
I would replace DROP by REJECT. DROP means the system will wait till the packet times out. For outgoing connections this may cause issues as the daemon that sends the unreachable will also wait till the packet times out before continuing
Ruben - ON3RVH
On 16 Apr 2019, at 17:17, Marius Petrescu marius@yo2loj.ro wrote:
Hello,
To all amprd users (this does not affect setups using the kernel tunnel driver and ampr-ripd).
Due to changes in the 4.x kernels, there's a problem with the system replying with "icmp unreachable" to incoming IPIP traffic. This will possible drop incoming traffic, including the RIP broadcasts (resulting in incomplete route tables). Please switch to an ampr-ripd setup or filter outgoing icmp messages on your WAN interface, using a rule like the one below:
*iptables -A OUTPUT -o ethX -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP*
I hope I can find a workaround on this issue.
Marius, YO2LOJ
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Marius Petrescu -
Ruben ON3RVH