Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
David Miller wrote: From: lepton <[EMAIL PROTECTED]> Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt->rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> That the address is wrong is your opinion only :-) Mine too, since an ICMP reply from an unexpected source IP is likely to be logged as a probe and dropped. Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. -- Bill Davidsen <[EMAIL PROTECTED]> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
David Miller wrote: From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Mine too, since an ICMP reply from an unexpected source IP is likely to be logged as a probe and dropped. Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. -- Bill Davidsen [EMAIL PROTECTED] We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, Sorry for my error. The problem is the current icmp_reply and ip_send_reply will send out packets with wrong destination address. Not wrong source address. My point is that we should always use the source address of packets we received as the destination address of our reply packets. On Mon, Sep 17, 2007 at 08:14:56PM -0700, [EMAIL PROTECTED] wrote: > On Tue, 18 Sep 2007, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: > > >In article <[EMAIL PROTECTED]> (at Mon, 17 Sep > >2007 19:20:44 -0700 (PDT)), David Miller <[EMAIL PROTECTED]> says: > > > >>From: lepton <[EMAIL PROTECTED]> > >>Date: Tue, 18 Sep 2007 10:16:17 +0800 > >> > >>>Hi, > >>> In some situation, icmp_reply and ip_send_reply will send > >>> out packet with the wrong source addr, the following patch > >>> will fix this. > >>> > >>> I don't understand why we must use rt->rt_src in the current > >>> code, if this is a wrong fix, please correct me. > >>> > >>>Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> > >> > >>That the address is wrong is your opinion only :-) > >> > >>Source address selection is a rather complex topic, and > >>here we are definitely purposefully using the source > >>address selected by the routing lookup for the reply. > > > >And, if you do think something is "wrong", you need to describe it > >in detail, at least. > > I missed the beginning of the discussion, so apologies if I'm way off > base. > > it sounds like the question is, when a packet hits the box that causes a > icmp_reply (or other packet) to be generated, which IP address should be > used as the source > > 1. the destination address of the packet that generated the message > > or. > > 2. the IP address that the machine would use by default if the machine > were to generate a new connection to the destination. > > I understand that in many cases the historical approach has been #2, but > as more machines get multiple IP addresses on each interface, I believe > that it's less of a surprise to other systems if the default is #1. most > of the time the other systems don't care (and useusally don't want to > know) if the service they are contacting is on a dedicated machine or is > just one IP among many sharing a box. > > it gets especially bad when you have load balancing going on and the > results could come from multiple boxes. > > yes, sysadmins deal with this today, but it's a pain to do so and is a > continuing dribble of suprises when things don't quite work the way you > expect them to as you consoldate things onto more powerful systems (or > distribute them among multiple systems). > > if the packet got to the machine and the machine is accepting it, replying > back from the destination IP of that packet should be legitimate (it's > what you would do if there was a full connection after all) and greatly > reduces the cases where things change. > > David Lang - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
On Tue, 18 Sep 2007, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: In article <[EMAIL PROTECTED]> (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller <[EMAIL PROTECTED]> says: From: lepton <[EMAIL PROTECTED]> Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt->rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. And, if you do think something is "wrong", you need to describe it in detail, at least. I missed the beginning of the discussion, so apologies if I'm way off base. it sounds like the question is, when a packet hits the box that causes a icmp_reply (or other packet) to be generated, which IP address should be used as the source 1. the destination address of the packet that generated the message or. 2. the IP address that the machine would use by default if the machine were to generate a new connection to the destination. I understand that in many cases the historical approach has been #2, but as more machines get multiple IP addresses on each interface, I believe that it's less of a surprise to other systems if the default is #1. most of the time the other systems don't care (and useusally don't want to know) if the service they are contacting is on a dedicated machine or is just one IP among many sharing a box. it gets especially bad when you have load balancing going on and the results could come from multiple boxes. yes, sysadmins deal with this today, but it's a pain to do so and is a continuing dribble of suprises when things don't quite work the way you expect them to as you consoldate things onto more powerful systems (or distribute them among multiple systems). if the packet got to the machine and the machine is accepting it, replying back from the destination IP of that packet should be legitimate (it's what you would do if there was a full connection after all) and greatly reduces the cases where things change. David Lang - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, sorry for my previous email. What I mean is icmp_reply and ip_send_reply in some situation will send out packets with wrong DESTINATION address. the source address is always correct. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, sorry for lack of details. let's think about ip_send_reply. it is only called by tcp_v4_send_ack and tcp_v4_reset. I don't know why we need a source address diffrent from ip_hdr(skb)->s_addr icmp_reply is only called by icmp_echo and icmp_timestamp. Is there a situation to need we use a source address diffrent from ip_hdr(skb)->s_addr? My situaiton is: I DNAT some tcp packet to my box. some times the box will reply reset or ack packet with tcp_v4_send_ack and tcp_v4_reset, when this happens, it will use the rt->s_addr instead of ip_hdr(skb)->s_addr, then the packet will send out without change the source addr. Becaus netfilter don't know these packets belongs to the DNATed connection. Another people's situaiton is (quoted from email to me): While conducting a research about networking, I discovered improper handling of ICMP echo reply messages in Linux 2.4.26. I looked into the code and noticed that the icmp_reply function sets the destination address in the reply packet to rt->rt_src. This produces strange results in some cases as can be easily shown with hping and tcpdump. Here is an example (NOTE: eth0 address is set to 10.10.10.1/24): # tcpdump -n -i any icmp & [1] 16842 tcpdump: WARNING: Promiscuous mode not supported on the "any" device tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes # hping2 --icmp --spoof 10.10.10.3 10.10.10.1 HPING 10.10.10.1 (eth0 10.10.10.1): icmp mode set, 28 headers + 0 data bytes 02:16:53.206016 IP 10.10.10.3 > 10.10.10.1: icmp 8: echo request seq 0 02:16:53.206082 IP 10.10.10.1 > 10.10.10.1: icmp 8: echo reply seq 0 02:16:54.202123 IP 10.10.10.3 > 10.10.10.1: icmp 8: echo request seq If ICMP echo requests with a spoofed source address are sent to the address of our eth0 interface (which of course happens through the loopback interface), the code of icmp_reply sets the destination address in the reply to 10.10.10.1 instead of simply reversing the source and destination addresses as required by the RFC. On Tue, Sep 18, 2007 at 11:26:44AM +0900, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: > In article <[EMAIL PROTECTED]> (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), > David Miller <[EMAIL PROTECTED]> says: > > > From: lepton <[EMAIL PROTECTED]> > > Date: Tue, 18 Sep 2007 10:16:17 +0800 > > > > > Hi, > > > In some situation, icmp_reply and ip_send_reply will send > > > out packet with the wrong source addr, the following patch > > > will fix this. > > > > > > I don't understand why we must use rt->rt_src in the current > > > code, if this is a wrong fix, please correct me. > > > > > > Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> > > > > That the address is wrong is your opinion only :-) > > > > Source address selection is a rather complex topic, and > > here we are definitely purposefully using the source > > address selected by the routing lookup for the reply. > > And, if you do think something is "wrong", you need to describe it > in detail, at least. > > --yoshfuji - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
In article <[EMAIL PROTECTED]> (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller <[EMAIL PROTECTED]> says: > From: lepton <[EMAIL PROTECTED]> > Date: Tue, 18 Sep 2007 10:16:17 +0800 > > > Hi, > > In some situation, icmp_reply and ip_send_reply will send > > out packet with the wrong source addr, the following patch > > will fix this. > > > > I don't understand why we must use rt->rt_src in the current > > code, if this is a wrong fix, please correct me. > > > > Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> > > That the address is wrong is your opinion only :-) > > Source address selection is a rather complex topic, and > here we are definitely purposefully using the source > address selected by the routing lookup for the reply. And, if you do think something is "wrong", you need to describe it in detail, at least. --yoshfuji - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
From: lepton <[EMAIL PROTECTED]> Date: Tue, 18 Sep 2007 10:16:17 +0800 > Hi, > In some situation, icmp_reply and ip_send_reply will send > out packet with the wrong source addr, the following patch > will fix this. > > I don't understand why we must use rt->rt_src in the current > code, if this is a wrong fix, please correct me. > > Signed-off-by: Lepton Wu <[EMAIL PROTECTED]> That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi,
In some situation, icmp_reply and ip_send_reply will send
out packet with the wrong source addr, the following patch
will fix this.
I don't understand why we must use rt->rt_src in the current
code, if this is a wrong fix, please correct me.
Signed-off-by: Lepton Wu <[EMAIL PROTECTED]>
diff -X linux-2.6.22.6/Documentation/dontdiff -pru
linux-2.6.22.6/net/ipv4/icmp.c linux-2.6.22.6-lepton/net/ipv4/icmp.c
--- linux-2.6.22.6/net/ipv4/icmp.c 2007-09-14 17:41:18.0 +0800
+++ linux-2.6.22.6-lepton/net/ipv4/icmp.c 2007-09-18 09:57:30.0
+0800
@@ -382,6 +382,7 @@ static void icmp_reply(struct icmp_bxm *
struct ipcm_cookie ipc;
struct rtable *rt = (struct rtable *)skb->dst;
__be32 daddr;
+ struct iphdr *ip = ip_hdr(skb);
if (ip_options_echo(_param->replyopts, skb))
return;
@@ -393,7 +394,7 @@ static void icmp_reply(struct icmp_bxm *
icmp_out_count(icmp_param->data.icmph.type);
inet->tos = ip_hdr(skb)->tos;
- daddr = ipc.addr = rt->rt_src;
+ daddr = ipc.addr = ip->saddr;
ipc.opt = NULL;
if (icmp_param->replyopts.optlen) {
ipc.opt = _param->replyopts;
diff -X linux-2.6.22.6/Documentation/dontdiff -pru
linux-2.6.22.6/net/ipv4/ip_output.c linux-2.6.22.6-lepton/net/ipv4/ip_output.c
--- linux-2.6.22.6/net/ipv4/ip_output.c 2007-09-14 17:41:18.0 +0800
+++ linux-2.6.22.6-lepton/net/ipv4/ip_output.c 2007-09-18 09:57:13.0
+0800
@@ -1337,11 +1337,12 @@ void ip_send_reply(struct sock *sk, stru
struct ipcm_cookie ipc;
__be32 daddr;
struct rtable *rt = (struct rtable*)skb->dst;
+ struct iphdr *ip = ip_hdr(skb);
if (ip_options_echo(, skb))
return;
- daddr = ipc.addr = rt->rt_src;
+ daddr = ipc.addr = ip->saddr;
ipc.opt = NULL;
if (replyopts.opt.optlen) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi,
In some situation, icmp_reply and ip_send_reply will send
out packet with the wrong source addr, the following patch
will fix this.
I don't understand why we must use rt-rt_src in the current
code, if this is a wrong fix, please correct me.
Signed-off-by: Lepton Wu [EMAIL PROTECTED]
diff -X linux-2.6.22.6/Documentation/dontdiff -pru
linux-2.6.22.6/net/ipv4/icmp.c linux-2.6.22.6-lepton/net/ipv4/icmp.c
--- linux-2.6.22.6/net/ipv4/icmp.c 2007-09-14 17:41:18.0 +0800
+++ linux-2.6.22.6-lepton/net/ipv4/icmp.c 2007-09-18 09:57:30.0
+0800
@@ -382,6 +382,7 @@ static void icmp_reply(struct icmp_bxm *
struct ipcm_cookie ipc;
struct rtable *rt = (struct rtable *)skb-dst;
__be32 daddr;
+ struct iphdr *ip = ip_hdr(skb);
if (ip_options_echo(icmp_param-replyopts, skb))
return;
@@ -393,7 +394,7 @@ static void icmp_reply(struct icmp_bxm *
icmp_out_count(icmp_param-data.icmph.type);
inet-tos = ip_hdr(skb)-tos;
- daddr = ipc.addr = rt-rt_src;
+ daddr = ipc.addr = ip-saddr;
ipc.opt = NULL;
if (icmp_param-replyopts.optlen) {
ipc.opt = icmp_param-replyopts;
diff -X linux-2.6.22.6/Documentation/dontdiff -pru
linux-2.6.22.6/net/ipv4/ip_output.c linux-2.6.22.6-lepton/net/ipv4/ip_output.c
--- linux-2.6.22.6/net/ipv4/ip_output.c 2007-09-14 17:41:18.0 +0800
+++ linux-2.6.22.6-lepton/net/ipv4/ip_output.c 2007-09-18 09:57:13.0
+0800
@@ -1337,11 +1337,12 @@ void ip_send_reply(struct sock *sk, stru
struct ipcm_cookie ipc;
__be32 daddr;
struct rtable *rt = (struct rtable*)skb-dst;
+ struct iphdr *ip = ip_hdr(skb);
if (ip_options_echo(replyopts.opt, skb))
return;
- daddr = ipc.addr = rt-rt_src;
+ daddr = ipc.addr = ip-saddr;
ipc.opt = NULL;
if (replyopts.opt.optlen) {
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
In article [EMAIL PROTECTED] (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller [EMAIL PROTECTED] says: From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. And, if you do think something is wrong, you need to describe it in detail, at least. --yoshfuji - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, sorry for lack of details. let's think about ip_send_reply. it is only called by tcp_v4_send_ack and tcp_v4_reset. I don't know why we need a source address diffrent from ip_hdr(skb)-s_addr icmp_reply is only called by icmp_echo and icmp_timestamp. Is there a situation to need we use a source address diffrent from ip_hdr(skb)-s_addr? My situaiton is: I DNAT some tcp packet to my box. some times the box will reply reset or ack packet with tcp_v4_send_ack and tcp_v4_reset, when this happens, it will use the rt-s_addr instead of ip_hdr(skb)-s_addr, then the packet will send out without change the source addr. Becaus netfilter don't know these packets belongs to the DNATed connection. Another people's situaiton is (quoted from email to me): While conducting a research about networking, I discovered improper handling of ICMP echo reply messages in Linux 2.4.26. I looked into the code and noticed that the icmp_reply function sets the destination address in the reply packet to rt-rt_src. This produces strange results in some cases as can be easily shown with hping and tcpdump. Here is an example (NOTE: eth0 address is set to 10.10.10.1/24): # tcpdump -n -i any icmp [1] 16842 tcpdump: WARNING: Promiscuous mode not supported on the any device tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes # hping2 --icmp --spoof 10.10.10.3 10.10.10.1 HPING 10.10.10.1 (eth0 10.10.10.1): icmp mode set, 28 headers + 0 data bytes 02:16:53.206016 IP 10.10.10.3 10.10.10.1: icmp 8: echo request seq 0 02:16:53.206082 IP 10.10.10.1 10.10.10.1: icmp 8: echo reply seq 0 02:16:54.202123 IP 10.10.10.3 10.10.10.1: icmp 8: echo request seq If ICMP echo requests with a spoofed source address are sent to the address of our eth0 interface (which of course happens through the loopback interface), the code of icmp_reply sets the destination address in the reply to 10.10.10.1 instead of simply reversing the source and destination addresses as required by the RFC. On Tue, Sep 18, 2007 at 11:26:44AM +0900, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: In article [EMAIL PROTECTED] (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller [EMAIL PROTECTED] says: From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. And, if you do think something is wrong, you need to describe it in detail, at least. --yoshfuji - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, sorry for my previous email. What I mean is icmp_reply and ip_send_reply in some situation will send out packets with wrong DESTINATION address. the source address is always correct. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
On Tue, 18 Sep 2007, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: In article [EMAIL PROTECTED] (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller [EMAIL PROTECTED] says: From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. And, if you do think something is wrong, you need to describe it in detail, at least. I missed the beginning of the discussion, so apologies if I'm way off base. it sounds like the question is, when a packet hits the box that causes a icmp_reply (or other packet) to be generated, which IP address should be used as the source 1. the destination address of the packet that generated the message or. 2. the IP address that the machine would use by default if the machine were to generate a new connection to the destination. I understand that in many cases the historical approach has been #2, but as more machines get multiple IP addresses on each interface, I believe that it's less of a surprise to other systems if the default is #1. most of the time the other systems don't care (and useusally don't want to know) if the service they are contacting is on a dedicated machine or is just one IP among many sharing a box. it gets especially bad when you have load balancing going on and the results could come from multiple boxes. yes, sysadmins deal with this today, but it's a pain to do so and is a continuing dribble of suprises when things don't quite work the way you expect them to as you consoldate things onto more powerful systems (or distribute them among multiple systems). if the packet got to the machine and the machine is accepting it, replying back from the destination IP of that packet should be legitimate (it's what you would do if there was a full connection after all) and greatly reduces the cases where things change. David Lang - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] 2.6.22.6 NETWORKING [IPV4]: Always use source addr in skb to reply packet
Hi, Sorry for my error. The problem is the current icmp_reply and ip_send_reply will send out packets with wrong destination address. Not wrong source address. My point is that we should always use the source address of packets we received as the destination address of our reply packets. On Mon, Sep 17, 2007 at 08:14:56PM -0700, [EMAIL PROTECTED] wrote: On Tue, 18 Sep 2007, YOSHIFUJI Hideaki / [EMAIL PROTECTED](B wrote: In article [EMAIL PROTECTED] (at Mon, 17 Sep 2007 19:20:44 -0700 (PDT)), David Miller [EMAIL PROTECTED] says: From: lepton [EMAIL PROTECTED] Date: Tue, 18 Sep 2007 10:16:17 +0800 Hi, In some situation, icmp_reply and ip_send_reply will send out packet with the wrong source addr, the following patch will fix this. I don't understand why we must use rt-rt_src in the current code, if this is a wrong fix, please correct me. Signed-off-by: Lepton Wu [EMAIL PROTECTED] That the address is wrong is your opinion only :-) Source address selection is a rather complex topic, and here we are definitely purposefully using the source address selected by the routing lookup for the reply. And, if you do think something is wrong, you need to describe it in detail, at least. I missed the beginning of the discussion, so apologies if I'm way off base. it sounds like the question is, when a packet hits the box that causes a icmp_reply (or other packet) to be generated, which IP address should be used as the source 1. the destination address of the packet that generated the message or. 2. the IP address that the machine would use by default if the machine were to generate a new connection to the destination. I understand that in many cases the historical approach has been #2, but as more machines get multiple IP addresses on each interface, I believe that it's less of a surprise to other systems if the default is #1. most of the time the other systems don't care (and useusally don't want to know) if the service they are contacting is on a dedicated machine or is just one IP among many sharing a box. it gets especially bad when you have load balancing going on and the results could come from multiple boxes. yes, sysadmins deal with this today, but it's a pain to do so and is a continuing dribble of suprises when things don't quite work the way you expect them to as you consoldate things onto more powerful systems (or distribute them among multiple systems). if the packet got to the machine and the machine is accepting it, replying back from the destination IP of that packet should be legitimate (it's what you would do if there was a full connection after all) and greatly reduces the cases where things change. David Lang - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
