[opensuse] ipv6 icmp redirect ?
For IPv4 I had to fiddle with /proc/sys/net/ipv4/route/redirect_silence, but I don't see an equivalent for IPv6. I'm having trouble getting ipv6 redirects generated, and I am wondering if there is anything special I need to do - on a typical openSUSE system? -- Per Jessen, Zürich (4.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.04.2016 19:27, Per Jessen пишет:
For IPv4 I had to fiddle with /proc/sys/net/ipv4/route/redirect_silence, but I don't see an equivalent for IPv6. I'm having trouble getting ipv6 redirects generated, and I am wondering if there is anything special I need to do - on a typical openSUSE system?
Not sure I fully understand - you want to ignore incoming redirects or suppress generation of redirects? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
18.04.2016 19:27, Per Jessen пишет:
For IPv4 I had to fiddle with /proc/sys/net/ipv4/route/redirect_silence, but I don't see an equivalent for IPv6. I'm having trouble getting ipv6 redirects generated, and I am wondering if there is anything special I need to do - on a typical openSUSE system?
Not sure I fully understand - you want to ignore incoming redirects or suppress generation of redirects?
I am expecting my core firewall/router to _generate_ redirects, just as it does for ipv4. It doesn't look as if it generates one for ipv6. I have a separate routing table 'trxproxy', works for both ipv4 and ipv6. I use fwmark 3 to direct traffic via it, but instead of producing an icmp redirect, the router seems to just forward. -- Per Jessen, Zürich (4.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.04.2016 20:05, Per Jessen пишет:
Andrei Borzenkov wrote:
18.04.2016 19:27, Per Jessen пишет:
For IPv4 I had to fiddle with /proc/sys/net/ipv4/route/redirect_silence, but I don't see an equivalent for IPv6. I'm having trouble getting ipv6 redirects generated, and I am wondering if there is anything special I need to do - on a typical openSUSE system?
Not sure I fully understand - you want to ignore incoming redirects or suppress generation of redirects?
I am expecting my core firewall/router to _generate_ redirects, just as it does for ipv4. It doesn't look as if it generates one for ipv6.
I have a separate routing table 'trxproxy', works for both ipv4 and ipv6. I use fwmark 3 to direct traffic via it, but instead of producing an icmp redirect, the router seems to just forward.
As far as I can tell, ICMP6 redirects are generated by kernel automatically if it would route incoming packet back over incoming interface. Could you give more details what you are trying to do? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
18.04.2016 20:05, Per Jessen пишет:
Andrei Borzenkov wrote:
18.04.2016 19:27, Per Jessen пишет:
For IPv4 I had to fiddle with /proc/sys/net/ipv4/route/redirect_silence, but I don't see an equivalent for IPv6. I'm having trouble getting ipv6 redirects generated, and I am wondering if there is anything special I need to do - on a typical openSUSE system?
Not sure I fully understand - you want to ignore incoming redirects or suppress generation of redirects?
I am expecting my core firewall/router to _generate_ redirects, just as it does for ipv4. It doesn't look as if it generates one for ipv6.
I have a separate routing table 'trxproxy', works for both ipv4 and ipv6. I use fwmark 3 to direct traffic via it, but instead of producing an icmp redirect, the router seems to just forward.
As far as I can tell, ICMP6 redirects are generated by kernel automatically if it would route incoming packet back over incoming interface.
Right, that's what I expect too. I just don't see any icmp6 redirect nor do I see any cached routing entries.
Could you give more details what you are trying to do?
In a nutshell, I'm trying to enable transparent webcache/squid for ipv6. The squid side is working. On the core firewall/router, I have a routing table 'transproxy' with two default routes to the squid server. # ip -4 route show table transproxy default via 192.168.2.159 dev eth0 # ip -6 route show table transproxy default via 2001:db8:1234:1::2017 dev eth0 metric 1024 On the core router, all traffic for port 80 is directed to this routing table - using fwmark 3. I'll be happy to add more details. The router is kernel 3.16.7-24-default. -- Per Jessen, Zürich (4.3°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.04.2016 21:03, Per Jessen пишет:
As far as I can tell, ICMP6 redirects are generated by kernel automatically if it would route incoming packet back over incoming interface.
Right, that's what I expect too. I just don't see any icmp6 redirect nor do I see any cached routing entries.
# ip -6 route show table transproxy default via 2001:db8:1234:1::2017 dev eth0 metric 1024
ICMP6 redirects are sent for link-local router addresses only. So if you expect redirect to this router, this won't work. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
18.04.2016 21:03, Per Jessen пишет:
As far as I can tell, ICMP6 redirects are generated by kernel automatically if it would route incoming packet back over incoming interface.
Right, that's what I expect too. I just don't see any icmp6 redirect nor do I see any cached routing entries.
# ip -6 route show table transproxy default via 2001:db8:1234:1::2017 dev eth0 metric 1024
ICMP6 redirects are sent for link-local router addresses only. So if you expect redirect to this router, this won't work.
Interesting, thanks. Could have taken me days to spot that. Instead of using 2001:db8:1234:1::2017, I have switched to fe80::17 : # ip -6 route show table transproxy default via fe80::17 dev eth0 metric 1024 (fe80::17 is assigned to the squid machine). This got me the redirect I was after: 21:48:32.066868 IP6 fe80::20b:cdff:fe3f:5fd3 > 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5: ICMP6, redirect, 2001:638:60f:110::1:1 to fe80::17, length 136 Cool. However, on the client I don't see a cached route entry for 2001:638:60f:110::1:1 : # ip route get 2001:638:60f:110::1:1 2001:638:60f:110::1:1 from :: via fe80::1 dev wlan0 src 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5 metric 0 cache It's getting a bit late for this stuff, I'll pick it up again tomorrow. -- Per Jessen, Zürich (4.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
This got me the redirect I was after:
21:48:32.066868 IP6 fe80::20b:cdff:fe3f:5fd3 > 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5: ICMP6, redirect, 2001:638:60f:110::1:1 to fe80::17, length 136
Cool. However, on the client I don't see a cached route entry for 2001:638:60f:110::1:1 :
# ip route get 2001:638:60f:110::1:1 2001:638:60f:110::1:1 from :: via fe80::1 dev wlan0 src 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5 metric 0 cache
It is likely I was simply too late - this is from a further attempt this morning: ip -6 route get 2001:67c:6ec:221:145:220:21:40 2001:67c:6ec:221:145:220:21:40 from :: via fe80::17 dev eth0 src 2a03:7520:4c68:1:9da4:480c:277e:453c metric 0 cache hoplimit 64 pref medium Good stuff! -- Per Jessen, Zürich (5.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Per Jessen wrote:
This got me the redirect I was after:
21:48:32.066868 IP6 fe80::20b:cdff:fe3f:5fd3 > 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5: ICMP6, redirect, 2001:638:60f:110::1:1 to fe80::17, length 136
Cool. However, on the client I don't see a cached route entry for 2001:638:60f:110::1:1 :
# ip route get 2001:638:60f:110::1:1 2001:638:60f:110::1:1 from :: via fe80::1 dev wlan0 src 2a03:7520:4c68:1:8a25:2cff:fed4:ecf5 metric 0 cache
It is likely I was simply too late - this is from a further attempt this morning:
ip -6 route get 2001:67c:6ec:221:145:220:21:40 2001:67c:6ec:221:145:220:21:40 from :: via fe80::17 dev eth0 src 2a03:7520:4c68:1:9da4:480c:277e:453c metric 0 cache hoplimit 64 pref medium
Good stuff!
Yep, transparent webcache/squid on ipv6 is fine working fine now. Just as with ipv4, there seems to be no way to tell how long a redirected entry is kept for, but it doesn't seem to be important. -- Per Jessen, Zürich (6.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 19, 2016 at 11:27 AM, Per Jessen
Yep, transparent webcache/squid on ipv6 is fine working fine now. Just as with ipv4, there seems to be no way to tell how long a redirected entry is kept for, but it doesn't seem to be important.
In case of IPv6 these entries follow generic neighbor detection algorithm; there is no difference between neighbors learned directly and neighbors learned by redirect. In principle, they will remain forever (subject to garbage collection tunables) unless they are detected as dead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Tue, Apr 19, 2016 at 11:27 AM, Per Jessen
wrote: Yep, transparent webcache/squid on ipv6 is fine working fine now. Just as with ipv4, there seems to be no way to tell how long a redirected entry is kept for, but it doesn't seem to be important.
In case of IPv6 these entries follow generic neighbor detection algorithm; there is no difference between neighbors learned directly and neighbors learned by redirect. In principle, they will remain forever (subject to garbage collection tunables) unless they are detected as dead.
I see the cached redirects disappearing in as little as 10 seconds, or in minutes or after half an hour or longer. It's only really annoying during testing. -- Per Jessen, Zürich (7.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrei Borzenkov
-
Per Jessen